in

This Blog

Syndication

Tags

Advertising

mystyleit

August 2007 - Posts

  • How to configure Forms-Based Authentication in Exchange Server 2003 OWA

    How to configure Forms-Based Authentication in Exchange Server 2003 OWA

    By default, Outlook Web Access (OWA) is setup to use Basic Authentication. Best practice is to configure MS Exchange 2003 to use Forms-Based Authentication (FBA) over Secure Socket Layer (SSL). This document outlines the procedure for setting up FBA over SSL start to finish.

    Installing a Stand-alone Root CA

    A Microsoft Certificate Server can take on one of four roles:

    • Enterprise Root CA
    • Enterprise Subordinate CA
    • Stand-alone Root CA
    • Stand-alone Subordinate CA

    For our purpose, we will install a self signed Stand-alone Root CA

    A self signed Stand-alone Root CA requires that Internet Information Services (IIS) be installed.

    1. Click Start, point to Control Panel and click Add/Remove Programs.
    2. In the Add or Remove Programs window, click the Add/Remove Windows Components button.
    3. In the Windows Components dialog box, click on the Certificate Services entry and click the Details.
    4. Check off Certificate Services CA checkbox, note the warning about changing the machine name and click the Yes button.
    5. Ensure that both Certificate Services CA and Certificate Services Web Enrollment Support checkboxes are checked. Click OK in the Certificate Services dialog box.
    6. Select Stand-alone Root CA
    7. Enter the machine name as the Common Name and click next.
    8. Accept the default certificate database locations.
    9. Click Yes on the Microsoft Certificate Services dialog box informing you that Internet Information Services must be stopped temporarily.
    10. Click Finish on the Completing the Windows Components Wizard page.

    The standalone Certificate Server is now ready to accept certificate requests.

    Creating a SSL Certificate for OWA

    The CA must issue us a certificate to use for the OWA portal. In order to get the certificate we must:

    • Create a certificate request.
    • Submit the certificate request.
    • Approve the certificate.
    • Download and install the certificate.

    Creating a Certificate Request

    1. Open IIS Management Console and expand Web Sites.
    2. Right click on Default Web Site and select Properties.
    3. Select the Directory Security tab.
    4. Click the Server Certificate button.
    5. Click Next.
    6. Click Next again to accept Create a new certificate.
    7. Select Prepare the request now, but send it later and click Next.
    8. Click Next to accept the default name and bit length for the certificate.
    9. Fill in appropriate values for Organization and Organization unit.
    10. For the Common Name, type in the DNS name that will be used to connect to the OWA server, usually mail.domainname.com.
    11. Fill in appropriate values for Country, State/province, and City/locality.
    12. Click Next to accept the default request file location, C:\certreq.txt.
    13. Click Next to confirm options.
    14. Click Finish to close the Wizard.

    Submitting the request to the CA

    1. Browse to the web console of your Stand-alone CA using http://servername/certsrv
    2. Click Request a certificate
    3. Click advanced certificate request.
    4. Click Create and submit a request to this CA.
    5. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file..
    6. Open C:\certreq.txt in notepad and copy all the text into the Saved Request field.
    7. Click Submit.

    Approving the Certificate

    1. Click Start, click Programs, click Administrative Tools, and click Certification Authority.
    2. Expand the server and click Pending Requests.
    3. Right click the pending request and click Issue.

    Downloading and installing the certificate

    1. Browse to the web console of your Stand-alone CA using http://servername/certsrv
    2. Click View the status of a pending certificate request.
    3. Click the link to download the certificate.
    4. Download the certificate as a *.cer file
    5. Open IIS Management Console and expand Web Sites.
    6. Right click on Default Web Site and select Properties.
    7. Select the Directory Security tab.
    8. Click the Server Certificate button.
    9. Click Next.
    10. Click Next to accept Process the pending request and install the certificate.
    11. Click Browse and navigate to your downloaded certificate file and click Next.
    12. Click Next to accept the default SSL port as 443.
    13. Click Next to accept.
    14. Click Finish.

    Your IIS certificate has now been created and installed for the Default Web Site.

    Installing the certificate to OWA

    1. In Internet Services Manager, in the console tree, expand servername (your local computer), and then expand Web Sites, then expand Default Web Site.
    2. In the console tree, right-click the Exchange virtual directory, and then click Properties.
    3. In the Default Web Site Properties dialog box, on the Directory Security tab, in the Secure communications area, click Edit.
    4. In the Secure Communications dialog box, click the Require secure channel (SSL) check box, click the Require 128-bit encryption check box, and then click OK.

    5. Keep clicking OK until you are completely out of the Properties dialog boxes, then close IIS.

    Enabling Forms-Based Authentication

    After configuring SSL on the OWA site, you now need to enable the Forms-Based Authentication on the HTTP Virtual Server in Exchange System Manager.

    1. Open Exchange System Manager.
    2. Navigate to your server object.
    3. Expand your server object, and expand Protocols.
    4. Expand HTTP.
    5. Right-click on the Exchange Virtual Server and select Properties.
    6. On the Settings tab, click to select the Enable Forms Based Authentication check-box.
    7. Click OK, and click OK to dismiss the warning message.
    8. Restart the IIS services either from the Services snap-in or from the IIS Admin snap-in.

    By default, Forms-Based Authentication requires users enter their usernames as DOMAIN\USERNAME. To change this default behavior set the following:

    FBA over SSL for OWA setup complete.

    References

    1. http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
    2. http://www.petri.co.il/configure_ssl_on_owa.htm
    3. http://www.isaserver.org/img/upl/vpnkitbeta2/installstandaloneca.htm
    4. http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html
    Posted Aug 23 2007, 01:34 PM by mike.clarke with 3 comment(s)
    Filed under: , , ,

  • How to increase the Exchange Server 2003 Service Pack 2 18-gigabyte database size limit

    How to increase the Exchange Server 2003 Service Pack 2 18-gigabyte database size limit

    The release of SP2 for MS Exchange 2003 has changed the default database limit from 16 GB to 18 GB. In addition, SP2 allows you to further increase the size a MS Exchange 2003 Standard Edition database to a maximum size of 75 GB.

    Exchange Server 2003 version Licensed limit Default configuration limit

    Standard Edition before SP2

    16 GB

    Not applicable

    Standard Edition with SP2

    75 GB

    18 GB

    Enterprise Edition before SP2

    8,000 GB (unlimited)

    Not applicable

    Enterprise Edition with SP2

    8,000 GB (unlimited)

    8,000 GB

    Here is the KB article on how to determine the Edition, and the Server Version of the Exchange Servers in Your Organization: http://support.microsoft.com/kb/820270

    Depending on the Edition, and Server Version of the Exchange Servers in your Organization you have several options. Here is KB article outlining what options are available: http://support.microsoft.com/kb/828070

    If your organization is running MS Exchange 2003 Standard Edition SP2, your best option is to extend the database limit to a value that is appropriate to the available HDD size on the Exchange Server. Below outlines the procedure configuring a new MS Exchange 2003 Standard Edition SP2 database limit.

    1. On the computer that is running Exchange 2003 SP2, click Start, click Run, type regedit, and then click OK.
    2. Click one of the following registry subkeys, as appropriate for the store that you want to increase:
      • For a mailbox store, click the following registry subkey:

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Private-Mailbox Store

      • For a public folder store, click the following registry subkey:

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Public-Public Store GUID

    3. On the Edit menu, point to New, and then click DWORD Value.
    4. In the New Value #1 box, type Database Size Limit in Gb, and then press ENTER.
    5. Right-click Database Size Limit in Gb, and then click Modify.
    6. Click Decimal, and then type an integer from 1 to 75 in the Value data box.
    7. Click OK, and then exit Registry Editor.
    8. Restart the Microsoft Exchange Information Store service. To do this, follow these steps:
      1. Click Start, click Run, type cmd, and then click OK.
      2. At the command prompt, type the following command, and then press ENTER:

        net stop msexchangeis

      3. After the Microsoft Exchange Information Store service has stopped successfully, type the following command, and then press ENTER:

        net start msexchangeis

    9. Examine the Application log to verify that the database size has been set successfully. To do this, follow these steps:
      1. Click Start, click Run, type eventvwr, and then click OK.
      2. In the Event Viewer tool, click Application
      3. Double-click event ID 1216 to verify that the database size has been set successfully. Event 1216 is generated every time the Microsoft Exchange Information Store service is started.

    Here is the KB article for this procedure: http://support.microsoft.com/kb/912375

    Posted Aug 22 2007, 04:06 PM by mike.clarke with 2 comment(s)
    Filed under: , ,