A Descriptive Guide on Exchange 2016 Two Factor Authentication Process

  

Aswin Vijayan   
Published: Sep 7, 2018 • Exchange Server • 5 Min Read

‘We are seeking for a solution to implement Two factor authentication in Exchange 2016 on-premises environment. This is required because we want a plan, which performs the entire procedure without hampering the ongoing business operations. So, can anyone please help us out by giving a strategic plan for the same?’

Exchange 2016 two factor authentication or MFA comprises of an account’s username, password, and a third security thing, which will be used to pass the authentication. It is possible to achieve this type of authentication in Exchange on-premises environment by using a service from MS Windows Azure and Multi-factor authentication server. This informative post is all about the process to implement two factor authentication in the Exchange server 2016.

What is Multi-factor Authentication Server?

Before we start with the implementation procedure, it is important to be known from MFA server. This server intercepts the login request to OWA. If the server founds the username and password valid then, a call or text message with verification code will be sent on the account holder’s smartphone. When the verification code matches, user validates the login process with authentication. Typically, it is performed by using the hash (#) key at the time of phone call or clicking on the Verify button in application but, could also demand for manual PIN entry.

Exchange 2016 Two Factor Authentication Using MFA Server

Following technical steps should be performed for implementing multi-factor authentication in Exchange 2016 :

Step 1 : Configuration of MFA In Azure

In this step, you have to combine Exchange 2016 OWA multi factor authentication with Windows RRAS server. When you are done with this, login into a user-enabled with MFA in Azure MFA server because you have to answer the phone before establishing the connection. Following 4 major steps need to perform for this step :

a) Setup MFA in Microsoft Azure
b) Install MFA server on-premises
c) Configure few users in Azure MFA server
d) Configure the RRAS VPN server with MFA server for using RADIUS for authentication.

Step 2 : Installation of MFA Server on-premise

Half of the portion of this step will be done in Step (1), only the difference will occur with OWA. The change will be that you need to install MFA server on the server of Microsoft Exchange to factor authentication procedure is taking place. For this, you can go through the following guidelines :

a) Open the Server Manager screen and in the features section check that you are having Net 3.5 installed on the machine.
b) When you are done with the installation, run MFA Server administrative tools. They will appear in the start menu of Windows OS or automatically appear, after a few minutes.
c) Do not skip current wizard and click on Next. A permission to activate the server will be asked. You need to understand that activating the server is connecting it with your instances of Azure MFA. The email id and password you demand are provided by the vendor of Azure multi-factor authentication, which was used for configuration in Step (1). Now, click on the Generate Activation Credentials from the Download page of MS Azure MFA provider.

d) The generated credentials remain valid for 10 minutes. Enter them into the configuration wizard of MFA server and click on Next
e) This allows the MFA server to attempt the Exchange 2016 OWA 2 factor authentication process for reaching towards Azure over TCP443.
f) Choose the server group, which the configuration should copy around.

For Example – If you are installing the product on each server of Exchange CAS then, you might be entering ‘Exchange Servers’ as group name at the first installation time and then, proceed with the selection during the installation procedure on the left servers. This configuration will be distributed among all the servers along with the name of the same group. If you are already done the configuration setup then, it will be having different user settings.

For Example– you might receive a phone call for authenticating the VPN connection but, use the application for OWA logins. This will demand for 2 configs with variations in the server groups. If you require similar settings among all employees of a firm then, one group should be configured.

g) If you want to keep backup of your defined settings then, you have more than one instances of MFA server in the same group. Click on Yes.
h) Choose the option of Outlook Web Access (OWA) in the current wizard to continue with Exchange 2016 two factor authentication procedure
i) Now its the time to select the authentication type. You can use the default of Form-based authentication, or go for any other type whatever suits your need.
j) Mention the URL to OWA by browsing OWA website over https.

Step 3 : Configure Users for Exchange 2016 OWA Multi factor Authentication

Import the list of users on which MFA in Exchange 2016 needs to be imposed. Select the area of Users and then, click on the Import button from Active Directory. Locate the settings for importing group members or organizational units, or search to append a user account. Check that your test users are having the contact number imported from the AD.

Step 4 : Configuration of OWA with MFA

This is the last step in Outlook web access to factor authentication procedure. You have to adjust the default HTTP configuration on the IIS Authentication node. This will assure you that each auth attempt is corresponded to user mentioned in the list. If the user is present and is activated then, perform MFA. Otherwise, Succeed Authentication settings need to utilized for the same.

Conclusion

A brief description on Exchange 2016 two factor authentication procedure is mentioned in this post. It is just a one day process so, administrators can plan out the things accordingly and attempt the task.