Two-factor authentication for Outlook Anywhere? RRS feed

  • Question

  • Are there any two factor authentication options for Outlook anywhere when using Exchange 2003 and Outlook 2007? All users will have their domain username and pasword, but for external access we need a second authentication method.

    We can issue certificates to computers or users. However, my Google searches didn't come up with any hits on how to make Outlook Anywhere work with certificates/smart cards.

    I know IIS has a many-to-one certificate mapping feature, but it wasn't clear if that would work. For example, it wants you to input an account which the many-to-one mapping uses.

    Our requirement is to only accept Outlook Anywhere connections from computers which have corporate issued user certificates. If ISA 2006 helps at all, we can throw that into the mix. But I'd prefer a solution that only relies on IIS configuration changes.

    Clients will be Windows XP SP3 or Windows 7 beta.

    Wednesday, April 15, 2009 8:08 PM

All replies

  • I have not seen this implemented by Exchange itself.  It has usually been in the form of users first having to VPN using a smart card or something then they can use RPC over HTTPS once the vpn is extablished.

    Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    • Proposed as answer by Mike Crowley Friday, June 5, 2009 1:22 PM
    Friday, June 5, 2009 1:21 PM
  • As a user, from what I can tell, I think it is possible.  Unfortunately, I have no idea it is setup.  

    As a DOD user, we use SmartCards (CAC and PIV) and PINs to log into windows.  Our usernames are actually disabled for login.  Outlook is configured to use the OA feature.  I hope this is what you were looking for.
    Saturday, June 20, 2009 1:49 AM
  • I'm in a DoD entity as well. But I'm looking for external OA CAC authentication. Are you using OA externally from the internet, or just internal on your DoD network? My problem is CAC authentication to the external OA ports. I talked to Microsoft at TechED and they didn't seem to think it was possible by just using Outlook and Exchange. Something like DirectAccess with Windows 7/Server 2008 R2, VPN, or maybe ISA would be needed.
    Saturday, June 20, 2009 2:49 AM
  • External -- Hotel, Home, wherever.

    I know we are using Win2k3, but I don't know what else.  Ask your MS rep to look into the AFMC setup in the AF.
    Sunday, June 21, 2009 5:31 PM
  • At this point, I don't think this is possible.  I think something is in the works in the future, though. 
    Jim McBee - Blog - http://mostlyexchange.blogspot.com
    Friday, June 26, 2009 8:47 PM
  • At this point, I don't think this is possible.  I think something is in the works in the future, though. 
    Jim McBee - Blog - http://mostlyexchange.blogspot.com

    Correct, Microsoft confirmed it was impossible. However, I wrote a blog about some information that MS told me which could open the door for it working in the future.

    Saturday, June 27, 2009 3:31 PM
  • It is possible! Take a look at:

    Deepnet Authentication for Outlook Anywhere

    This product has been available for a while and already reviewed by Microsoft!

    Sunday, November 8, 2009 12:10 AM
  • Thanks, I sent a request to them for additional information. We'd really need it to work with DoD CAC cards to be of any use.

    Sunday, November 8, 2009 2:35 AM