Today, I ma going to show you how to configure Cisco DUO two-factor authentication for Outlook Web App of Exchange 2013 and later.
1.Check your server versions before starting. These instructions are for Exchange Server 2013 and 2016, running on Windows Server 2012 or newer, and Exchange Server 2019, running on Server 2019. It also requires .NET Framework 4.5 and ASP.NET 4.5.
2.Login to Exchange Servers and running the following PowerShell commands to make sure you have installed .NET Framework 4.5.
Import-Module ServerManager Add-WindowsFeature NET-Framework-45-Core
3.Run the following PowerShell commands to make sure you have installed ASP.NET 4.5 support for IIS and HTTP Activation.
Import-Module ServerManager Add-WindowsFeature NET-Framework-45-ASPNET Add-WindowsFeature NET-WCF-HTTP-Activation45
4.Run the following PowerShell commands to make sure that the IIS Management Scripts and Tools feature is turned on.
Import-Module ServerManager Add-WindowsFeature Web-Scripting-Tools
5.Sign up for a Duo account. The detail steps as following link.
6.Log in to the Duo Admin Panel and navigate to Applications.
7.On the Application page, Click Protect an Application.
8.On the Protect an Application, locate the entry for Microsoft OWA in the applications list, click Protect.
9.Take a note for the integration key, secret key, and API hostname. You’ll need this information to complete your setup.
10.Download the Duo OWA Installer Package for Exchange 2013+. View checksums for Duo downloads here.
https://dl.duosecurity.com/duo-owa-latest.msi
11.Login to Exchange Server (Client Access Services).
12.Launch the Duo Security installer MSI from an elevated command prompt (right-click “Command Prompt” and select the “Run as Administrator” option). Accept the license agreement and continue.
13.Click Run at the Open File – Security Warning.
14.At the Welcome page, click Next.
15.Enter your integration key, secret key, and API hostname when prompted.
If you leave the “Bypass Duo authentication when offline” box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all OWA login attempts will be denied if there is a problem contacting the Duo service.
Duo for OWA sends a user’s Windows sAMAccountName to Duo’s service by default. To send the userPrincipalName to Duo instead, check the Send username to Duo in UPN format box. For this to work, OWA and ECP must be using Forms-Based Authentication (FBA).
If you enable the UPN username format option, you must also change the properties of your OWA application in the Duo Admin Panel to change the “Username normalization” setting to None. Otherwise, Duo drops the domain suffix from the username sent from OWA to our service, which may cause user mismatches or duplicate enrollment.
16.Select the option to automatically generate a new key if you only have one Exchange Server is running the Client Access Server role, click Next.
17. if you have multiple Client Access servers then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers, running the following PowerShell commands to generate a suitable session key.
$bytes = new-object "System.Byte[]" 40 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes) [Convert]::ToBase64String($bytes)
18.Enter the shared session key, click Next.
19.Click Install to install Duo Security OWA Integration.
20.Complete the Duo installation. The installer stops and then restarts IIS services automatically, click Finish.
21.Repeat steps to install Duo Security OWA Integration for all Exchange Servers.
22.you can try to access OWA after install has done for all exchange servers.
23.On the OWA Login Page, click Send Me a Push.
24.Click Approve check mark at your phone DUO app.
25.You will success login to OWA.
Hope you enjoy this post.
Cary Sun
Twitter: @SifuSun
Web Site: carysun.com
Blog Site: checkyourlogs.net
Blog Site: gooddealmart.com