This article describes a software update that adds a new feature
in Microsoft Exchange Server 2003. This new feature supports Smart Card
authentication to Microsoft Office Outlook Web Access. When this new feature is
installed, users are no longer required to supply a username and
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
install this software update, you must have the following network
Microsoft Windows Server 2003 must run in Native mode for the domain
in which Kerberos Constrained Delegation (KCD) is configured.
You must raise each domain controller's domain level to
Windows Server 2003 Domain Functional Level.
On the Exchange front-end servers, the KCD list must
contain only back-end servers. The KCD list is maintained automatically after
this software update is installed. Front-end servers must not be used to host
other KCD-enabled programs. This is because the entries for the other programs will be
removed if a missing Server Principle Name (SPN) is detected.
All front-end servers, back-end servers, and ISA servers for a
configuration must be in the same domain.
No more than 600 back-end servers can be in the same domain
as the front-end server.
To install this software update, you must have the following
Microsoft Exchange Server 2003 Service Pack 2 (SP2)
Microsoft Windows Server 2003-based domain
Additionally, we recommend that you include Microsoft
Internet Security and Acceleration (ISA) Server 2006 as part of the solution.
ISA Server 2006 can use KCD to securely
publish the Outlook Web Access service.
KCD helps reduce potential attack
vectors. It also provides several features to reduce the cost of ownership and
administration of this solution.
For more information, click the following article number to view
the article in the Microsoft Knowledge Base:
How to obtain the latest service packs for Exchange Server 2003
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003 supports the KCD authentication method.
A server can use KCD to authenticate as a user over Kerberos. The term "constrained" refers to the fact that the list of servers to which an account
can authenticate and the ports to which it can authenticate are limited.
KCD list is stored in Active Directory and is composed of a list of Service
Principle Names (SPNs). An SPN is a port number or service name that is
combined with a host name in some format. The three components of a full SPN
are PORT/HOST/REALM. For more information about KCD, visit the following
Microsoft Web site:
For the constrained delegation to work correctly, an accurate
mapping of front-end servers to back-end servers must be maintained within the
Active Directory directory service. After this software update is installed,
the Exchange System Attendant service maintains the SPN list. The System
Attendant behavior is controlled by a bit value that is set on the heuristic
attribute of the server object in the Active Directory directory service.
The KCD list is monitored and maintained by adding all the back-end
servers that are in the domain to the KCD list. No more than 600 back-end
servers can be in the same domain as the front-end server because of the limit
on the size of the msDS-AllowedToDelegate attribute in the
Active Directory directory service.
The monitoring and maintenance of
the KCD list occur when the server starts. The monitoring and maintenance of
the KCD occur at an interval that is controlled by the following registry
Name: KCDPollingInterval Type: REG_DWORD
registry value specifies in minutes how frequently the KCD list must be
validated and possibly updated. The value cannot be less than 15 minutes nor
can it be later than one week. By default, the value is 15 minutes.
To install the new feature that enables Microsoft Exchange Server
2003 to support Smart Card authentication to Outlook Web Access, follow these
Configure Exchange Server 2003
Install hotfix 920209 on all Exchange front-end
Servers that you want to enable as KCD front-end servers.
Verify that the Exchange front-end servers support
Integrated Authentication. To do this, follow these steps:
Start Exchange System Manager. To do this, click
Start, point to All Programs, point to
Microsoft Exchange, and then click System
Expand the following folder:
Servers/Exchange_Server_Name/ Protocols/HTTP/Exchange Virtual Server
Right-click Exchange, and then click
On the Access tab, click
Click to select the Integrated Windows
Authentication check box.
Click to clear the Basic
Authentication check box.
Click OK, and then click
Repeat steps c to g for the Public
Enable KCD in Exchange System Manager. To do this, follow
Note The KCD Service account must have additional permissions in Active Directory.
In the Domain Controller Group Policy Object, configure the Enable computer and user accounts to be trusted for delegation attribute for the KDC Service account.
The KCD Service account must be granted write permission to the MSDS-AllowedToDelegateTo and userAccountControl attributes on the front end server computer objects in Active Directory. To do this, use the the Advanced permissions tab in Active Directory Users and Computers or use ADSI Edit.
In System Manager, locate the
administrative group in which you want to enable KCD.
Right-click the administrative group, and then click
Click to select the Enable Kerberos Constrained
Delegation check box, and then click Modify.
Type the credentials for the KCD Service account.
Click Apply, and then click
On each front-end server that you want to enable as a KCD
front-end server, follow these steps:
In Exchange System Manager, right-click the server, and
then click Properties.
On the General tab, verify that the
This is a front-end server check box is selected to confirm
that you are configuring a front-end server.
On the KCD-FE tab, click This
server is a KCD- FE server for the organization.
Click Apply, click
OK, and then restart the Exchange System Attendant
Repeat these steps on each front-end server that you
want to enable as a KCD front-end server.
Restart Microsoft Internet Information Services (IIS) on
all front-end and back-end computers to propagate the change in authentication
mechanisms. To do this, type iisreset at a command
prompt, and then press ENTER.
Configure ISA Server 2006
If you include ISA Server 2006 as part of the solution, follow
these steps to configure ISA Server 2006:
Click Start, point to All
Programs, point to Microsoft ISA Server, and then
click ISA Server Management.
Expand Arrays, expand the server name, and
then click Firewall Policy.
In the Firewall Policy Tasks area, click
Publish Exchange Web Client Access.
In the Exchange Publishing rule name box,
type the name that you want to use for the rule, and then click
In the Exchange version list, click
Exchange Server 2003, click to select the Outlook Web
Access check box, and then click Next.
Click Publish a single Web site or load
balancer, and then click Next.
Note If you want to select Publish a server farm of load
balanced Web servers, the SPN that is published must be
http:/* instead of
Click Use SSL to connect to the published Web
server or server farm, and then click
In the Internal site name box, type the
internal site name, and then click Next. For example, type the
NETBIOS name of your front-end server.
In the Public name box, type the FQDN of
the server that users use to reach the site, and then click
On the Select Web Listener page, click
New. The New Web Listener Wizard starts.
In the Web listener name box, type the
name of the new listener, and then click Next.
On the Client Connection Security page,
click Require SSL secured connections with clients, and then
In the Listen for incoming Web requests on these
networks list, click to select the External check
box, and then click Select IP Addresses.
Click Specified IP Addresses on the ISA Server
computer in the selected network.
In the Available IP Addresses list, click
the IP address that you want to use, click Add, and then click
In the Listener SSL Certificates screen,
click Assign a certificate for each IP Address, and then click
Click the certificate that you want to use, and then click
In the "Select how clients will provide credentials to ISA
Server" page, click SSL Client Certificate Authentication, and
then click Next.
Click Next, and then click
When you are prompted to enable this system policy rule,
On the Select Web Listener page, click
In the Select the method used by ISA Server to
authenticate to the published Web server list, click Kerberos
In the Type the Service Principal Name (SPN) used
by ISA Server for Kerberos constrained delegation box, type the SPN
that is used by ISA for KCD, and then click Next.
Click All Authenticated Users, click
Next, and then click Finish.
When you receive the following message, click
For Kerberos constrained
delegation to work, you must configure Active Directory to allow ISA Server to
delegate authentication to the selected service principal names
Close ISA Server Management.
When you receive the following message, click
Do you want to apply the
changes before closing ISA Server Management?
When you are prompted that the changes have been saved,
To configure Active Directory to allow ISA Server to delegate
authentication to the selected SPNs, follow these steps.
Note If an ISA Array of multiple servers exists, repeat this procedure
for each server in the array.
Start Active Directory Users and
Computers. To do this, click Start, point to
All Programs, point to Administrative Tools,
and then click Active Directory Users and
Locate the Computers container,
right-click the name of the computer that is running ISA Server 2006, and then
Click the Delegation tab, click
Trust this computer for delegation to specified services only,
click Use any authentication protocol, and then click
Click Users or Computers, and then click
the Exchange front-end server.
Click http in the
Service list, and then click OK.
If more than one front-end Exchange server exists, repeat
steps 2 to 6 for each front-end server.
In ISA Server Manager, click the Firewall policy that you
created, and then click Apply.
For more information about the ISA Authentication model, visit
the following Microsoft Web site: