Overview1.       Summary2.       Environment3.       Configurationa)         Active Directory Configurationb)         CA Configurationc)         Exchange Server IIS Configurationd)         Exchange Configuration4.       Exchange OWA PKI access testing1.     SummaryThis guide describes how to configure exchange 2010 authentication for PKI2.     EnvironmentThis is document was written with Single domain environment, the CA server was located in the domain controller.ItemOperation SystemIP addressHost NameFunction1Windows Server 2008 R210.100.5.181Win2k8dc.c6f1r1.cloudDomain Controller2Windows Server 2008 R210.100.5.181Win2k8dcEnterprise Root CA3Windows Server 2008 R210.100.5.183Exchange 2010Exchange Server4Windows 7 Enterprise10.100.5.180ClientOWA Access testing3.  Configuration:3.1   Windows Server 2008 R2 Active Directory ConfigurationIn active directory domain controller,--> Go to Active Directory Group Policy Management:-->Select Domains-->select domain “c6f1r1.cloud”-->Right click “Default Domain Policy”-->Select “Edit”-->Select “User Configuration”-->Security Settings-->Public key Policy-->On the right screen, click “Certificate Services Client – Auto-Enrollment”Chose “Renew Expired Certificates, update pending certificates, and remove revoked certificates” and “update certificates that use certificate templates”, then click ”OK” to save it.3.2 Windows Server 2008 R2 CA ConfigurationCertification Authority--> Certificate Templates-->ManageIn Certificate Templates Console--> User-->Duplicate Template-->Windows Server 2003 EnterpriseIn Template Display Name--> General Tab: AutoEnroll-User-->In the Security tab:Click “OK” to save it. And then go back to “Certificate Templates’Certificate Templates-->New-->Certificate Template IssueSelect the template that just create “AutoEnroll-User”, click “OK”Now you can find the template in the right of the “Certificate Templates”3.3 IIS ConfigurationGo to “Internet Information Services (IIS) Manager”-->EXCHANGE2010 (C6F1R1\administrator)-->Authentication-->Enable “Active Directory Client Certificate Authentication”Select “Sites”-->Default Web Site-->SSL Settings-->Chose “Require SSL”--> Client certificate, select “Require”Exchange OWA SSL Setting:--> go back to Site-->Default Web Site-->owaExchange OWA Client CertificatedAuthenticate Setting-->OWA-->ConfigurationEditor-->Section,in the drop down-->System.webserver-->Security-->Authentication-->ClientCertificateMappingAuthentication-->Enable:Change the key from False to TrueExchange Microsoft-Server-ActiveSync Setting-->Site-->Default Web Site--> Microsoft-Server-ActiveSyncExchange Microsoft-Server-ActiveSync ClientAuthenticate Setting-->Microsoft-Server-ActiveSync-->ConfigurationEditor-->Section,in the drop down-->System.webserver-->Security-->Authentication-->ClientCertificateMappingAuthentication-->Enable:Change the key from False to True3.4  Exchange 2010 ConfigurationOpen Exchange Management Console-->Select “Client Access”-->Select the tab “Outlook Web App” in the right screen-->in owa (default web site) Properties, select “use one or more standard authentication methods”,-->select “integrate Windows Authentication”, then restart IISSelect tab “Exchange ActiveSync”-->in Microsoft-Server-ActiveSync (default Web Site) Properties-->Client certificate authentication-->select “Require client certificates”In Exchange Management Console-->Select “Server Configuration”-->Click “New Exchange Certificate” in Actions panelYou will see there have one pending certificated signing request (CSR) in Exchange Management ConsoleOpen the certificate request file in E:\certrequest.req with windows notepadOpen windows internet explorer(IE), and connect to CA server to request the certificates for ExchangeIn CA welcome page-->Select a task-->Request a certificate-->Submit an advanced certificate request-->Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.-->copy the content of “certrequest.req” to “Base-64-encoded certificated request (CMC or PKCS #10 or PKCS #7)”-->Certificate Template-->select “Web Server”-->click “submit-->click “Download Certificate” save it to E:\Go back to Exchange Management Console-->Select “Server Configuration”-->Select the pending certificate signing request(CSR)-->Right click it and select “Complete Pending Request”-->select the certificate that just download to E:\ driverAfter the certificate import successfully,-->Right the certificate “Exchange2010PKI”-->Assign Services to CertificateAfter the service assigned complete successfully, you can delete the other Microsoft Exchange self-signed certificates:4.     Exchange OWA PKI access testingBefore the Win7 client joined into the domain “c6f1r1.cloud”-->change the hosts file as below-->Open the IE and type the OWA address to access the Exchange mailbox-->https://exchange2010.c6f1r1.cloud/owa, you will find as belowNow let’s join the client to domain “c6f1r1.cloud” to test it againAfter type the user name and password, you can success to access your mailbox.For the Exchange 2007 PKI configuration, the step is the same as Exchange server 2010. The difference only was in Exchange server certificate request. In Exchange server 2007, you only can request the certificate with exchange management shell. For detail, please refer below link:http://technet.microsoft.com/en-us/library/aa995942.aspx