Exchange OWA - 2 Factor Authentication

Here is an application which can assist with the 2 Factor authentication.  I found an application called Duo. They support 2 Factor authentication. Here are some insights into the application:

Check your server versions before starting. This integration works with Exchange Server 2010, 2013, and 2016, running on Windows Server 2008 or newer. It also requires .NET Framework 3.5.

If you are running Exchange Server 2007, see the Exchange Server 2007 Instructions

Then:

1. Sign up for a Duo account.
2. Log in to the Duo Admin Panel and navigate to Applications.
3. Click Protect an Application and locate Microsoft OWA in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)
4. Download the Duo OWA Installer Package for Exchange Server 2010 / 2013.
5. Make sure you have installed ASP.NET 3.5 support for IIS. You can do this, for example, by running the following PowerShell commands:
   Import-Module ServerManager
   Add-WindowsFeature Web-Asp-Net
6. Ensure that the .NET Framework HTTP Activation feature is turned on as well. You can enable it from PowerShell with the commands:
   Import-Module ServerManager
   Add-WindowsFeature NET-WCF-HTTP-Activation45

Connectivity Requirements

This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.

Deployment Tip

Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.

Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).

Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.

Run the Installer

Install Duo on the Microsoft Exchange Server instances running the Exchange 2010/2013 Client Access Server role or the Exchange 2016 Client Access services. The installation process varies slightly depending on how many Client Access servers you have. The Duo installer stops and then restarts IIS services on your Exchange servers automatically.

1. Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
2. Enter your integration key, secret key, and API hostname when prompted.

If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all OWA login attempts will be denied if there is a problem contacting the Duo service.

• If you only have one Exchange Server running the Client Access Server role, select the option to automatically generate a new key. However, if you have multiple Client Access Server servers then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.

1. For example, you could use the following PowerShell commands to generate a suitable session key:
2. $bytes = new-object "System.Byte[]" 30
3. (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
4. [Convert]::ToBase64String($bytes)
5. Complete the Duo installation. The installer stops and then restarts IIS services automatically.