Configuring two-factor authentication for Outlook Web Access (OWA)

Overview

This article shows how to configure Outlook Web Access (OWA) for remote mail access on an Exchange server with two-factor authentication.

Available authentication methods:

• SMS
• Biometrics
• Hardware OTP tokens
• OTP applications: Google Authenticator or Yandex. Key
• Telegram
• Mobile application (soon)

To configure the second authentication factor you will need to install and configure the MultiFactor.IIS.Adapter component on your Exchange server. The component is designed and supported by MultiFactor and distributed for free. The current version is available at MultiFactor.IIS.Adapter.1.0.5.zip.

Operation Principle

1. The user opens the Outlook Web Access site; 2 OWA requests the first authentication factor: login and password, verifies that the data is correct and creates the user session;
2. The MultiFactor.IIS.Adapter component checks that the session is authorized and redirects the user to the second authentication factor;
3. After successfully passing the second factor, the user returns to the OWA site and continues.

Installation Requirements

1. The component needs access to the host api.multifactor.ru on TCP port 443 (TLS); 2 Outlook Web Access must work with a valid SSL certificate.

Multifactor configuration

1. Go to Multifactor Management System, then to 'Resources' and create a new Outlook Web Access site;

OWA configuration

1. Copy the file Bin\MultiFactor.IIS.Adapter.dll into the directory
   C:\Program Files\Microsoft\Exchange \ClientAccess\Owa\Bin;
2. Copy the file mfa.aspx into the directory
   C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa; 3 Edit the file
   C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\web.config:

• first make a backup copy
• in section <modules> add the component in the first line

<add type="MultiFactor.IIS.Adapter.Owa.Module, MultiFactor.IIS.Adapter" name="MFA" />

• in <appSettings> add component parameters

<add key="multifactor:api-url" value="https://api.multifactor.ru" />
<add key="multifactor:api-key" value="API Key from Multifactor Settings" />
<add key="multifactor:api-secret" value="API Secret from Multifactor Settings" />

• save and close.

More info

• The component can operate in a cluster configuration if it is installed on all servers.
• The component works equally well with direct access to the IIS server and through proxies such as nginx.
• The component does not affect the first authentication factor, namely user login and password verification. It does not receive or verify the password. At your request, we can provide the source code of the component for auditing and self-assembly.
• Two factor authentication is connected to OWA. Work with ECP, MAPI and ActiveSync remains unchanged.
• The component re-queries the second factor at a configurable interval and closes the sessions left by users. The time interval is configurable in Group Policy Multifactor Management System.

See also:

• Configure two factor Windows VPN authentication with Routing and Remote Access Service (RRAS).
• Configure Windows Remote Desktop Two Factor Authentication.