Check your server versions before starting. This integration works with Exchange Server 2010 or 2013, running on Windows Server 2008 or newer. It also requires .NET framework 3.5.
If you are running Exchange Server 2007, see the Integration Instructions for Exchange Server 2007
- Sign up for a Duo account
- Create a new Microsoft OWA integration to get an integration key, secret key, and API hostname. (See Getting Started for help.)
- Download the Duo OWA Installer Package for Exchange Server 2010 / 2013.
Make sure you have installed ASP.NET 3.5 support for IIS. You can do this, for example, by running the following PowerShell commands:
Import-Module ServerManager Add-WindowsFeature Web-Asp-Net
This integration communicates with Duo’s service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service’s high availability.
Try setting your integration’s “New user policy” to “Allow Access” while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.
Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo’s self-service enrollment (see Test Your Setup).
Then (when you’re ready) change the “New user policy” to “Require Enrollment.” This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.
Run the Installer
You will need to run the Duo Security installer package on each of your Microsoft Exchange Server instances on which you have installed the Client Access Server role. The installation process varies slightly depending on how many Client Access Servers you have.
Open the Duo Security installer with administrative privileges to run it. Accept the license agreement and enter your integration key, secret key, and API hostname from the Duo Security integration page when prompted:
If the Bypass Duo authentication when offline option is unchecked, then users will not be able to log in OWA when Duo Security cloud services are unreachable.
You will then be asked to create a session key:
If you only have one Client Access Server, select the option to automatically generate a new key.
However, if you have multiple Client Access Servers, then you should manually generate a random string at least 40 characters long, and use the same string for each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte" 30 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes) [Convert]::ToBase64String($bytes)
The installer stops and then restarts IIS services before completing.
Test Your Setup
To test your setup, log into OWA. Duo’s enrollment or login prompt should appear after you enter your username and password:
- OWA connection initiated
- Primary authentication
- Exchange Client Access Server connection established to Duo Security over TCP port 443
- Secondary authentication via Duo Security’s service
- Exchange Client Access Server receives authentication response
- OWA session logged in