Securing Exchange OWA with RSA SecureID


KB ID 0000966 Dtd 11/07/14


Later on in the year I've got a big RSA and SharePoint deployment, as I know 'Zippity Squat' about SharePoint, I thought the best way to get some hands on experience, was to work out how to integrate SecureID with Exchange 2013, (which I know a few things about!)


I'm assuming you already have RSA Authentication Manager setup and users/tokens deployed. This run though is simply to get your RSA solution working with Exchange/OWA

1. Create a user in Active Directory, (here I'm using SVC_RSA_Access), and ensure that user has a mailbox, you can do this in the Exchange Admin Center, but I prefer to use the shell.

Enable-MailUser -Identity SVC_RSA_Access -ExternalEmailAddress

PowerShell Mail Enable a User

2. Hopefully it will complete without error.

Create Exchange Mailbox

3. Over in the Exchange Admin Center > Servers > Virtual Directories > OWA > Edit.

RSA for OWA 2013

4. Authentication > Select Integrated Windows Authentication.

SecureID for OWA 2013

5. Then restart IIS with the following command;

iisreset /noforce

Restart IIS

6. We need to have the .Net 3.5 Feature added. (Server Manager > Add Roles and Features).

Add .Net 3.5

7. Log onto the Security Console of your RSA Authentication Manager appliance > Access > Authentication Agents > Generate Configuration File > Follow the wizard > Download the file.

RSA for Exchange 2013

8. Place the file you downloaded (sdconf.inf) on the Exchange server in the C:Windowssystem32 folder.

RSA for OWA 2013 sdconf.rec

9. Download and install the RSA Authentication Agent for Web for IIS, Install and accept all the defaults, it should locate the config file you have just downloaded.

RSA for OWA 2013 Web Agent

10. On the Exchange server launch 'RSA Web Agent', and don't be surprised when IIS Manager opens.

RSA for OWA 2013 RSA Web Agent

11. Select Default Web Site > RSA SecureID.

RSA SecureID for OWA 2013

12. Select 'Enable RSA SecureID Web Access Authentication' > Apply.

OWA 2 Factor Authentication

13. Select the OWA Virtual Directory > Authentication > Ensure Anonymous Authentication and Windows Authentication are both enabled.

RSA for OWA 2013

14. With Anonymous Authentication selected > Edit > Set the user account to the user we created back in step 1.

RSA for OWA 2013 Service Account

15. Select the WebID Virtual Directory > Authentication > Ensure Anonymous Authentication is enabled.

Protect OWA with RSA

16. Select the OWA virtual directory > Select 'Protect This Resource with RSA SecureID' > Select 'Target This Resource for Single Sign-On' > Apply.

RSA for OWA 2013

17. Right Click OWA > Manage Application > Advance Settings > Ensure the Application Pool is set to MSExchangeOWAAppPool.

RSA for OWA 2013 App Pool

18. Right Click WebID > Manage Application > Advance Settings > Ensure the Application Pool is set to RSA SecureID Pool.

RSA for OWA 2013 RSA Pool

19. Once again restart the IIS service.

Bounce IIS

20. Back in the Security Console of the RSA appliance > Access > Authentication Agents > Add New.

RSA Authentication Agent Exchange

21. Enter the Exchange server details > Set the Agent Type to Web Agent > Save.

Exchange 2013 and RSA

22. Hopefully it should go green and look like this.

RSA Exchange 2013

23. Now when you connect to OWA instead of the usual log on screen you should see this, enter your domain username and your SecureID pass-code.

RSA for OWA 2 Factor

24. Once authentication has succeeded > Continue > and you will be logged into OWA.

RSA for OWA Exchange Server


Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On