How to Install Duo Two-factor Authentication for Outlook Web App (OWA)

How to Install Duo Two-factor Authentication for Outlook Web App (OWA)


(light music) – [Matt] Hi, I’m Matt from Duo Security. In this video, I’m going to show you how to protect Microsoft Outlook Web App, also known as OWA, with Duo. Our integration adds
two-factor authentication to Outlook Web App logins, complete with inline,
self-service enrollment and the Duo Prompt. Before watching this video, be sure to read the documentation located at duo.com/docs/owa. Check your server
versions before starting. The video and the instructions referenced are for Exchange Server 2013 and 2016, running on Windows
Server 2008 R2 or newer. In this video, we will use Exchange 2016 on a Windows Server 2016 system. This integration also
requires .NET framework 4.5 and ASP.NET 4.5. This integration communicates
with Duo’s service on TCP port 443. We do not recommend
locking down your firewall to individual IP addresses, since these may change over time to maintain our service’s
high availability. If you are running Exchange Server 2010, read the instructions located
at duo.com/docs/owa-2010. If you are running Exchange Server 2007, read the instructions located
at duo.com/docs/owa-2007. As previously indicated, this integration requires
.NET framework 4.5 and ASP.NET 4.5. You must also ensure that the IIS Management
Scripts and Tools feature is turned on. Log on to the system you will
be installing Duo for OWA on as an administrator. Open a browser and navigate
to the documentation located at duo.com/docs/owa. Navigate to the Prerequisites section. Open PowerShell. To ensure that you have
.NET framework 4.5, run the commands from step one. To ensure you have installed
ASP.NET 4.5 support for IIS in HTTP activation, run the commands from step two. Finally, ensure that the
IIS Management Scripts and Tools feature is turned on using the commands from step three. Log in to the Duo Admin Panel. Once there, click on Applications. Then, click Protect an Application. Type in OWA. Next to the entry for Microsoft OWA, click Protect this Application, which takes you to your new
application’s Properties page. Keep this page open as you continue through the setup process. On the properties page, click the link to open
the OWA documentation. Scroll down to the First Steps section, and click the link to download the Duo OWA installer package. You will need to run the installer on the Microsoft Exchange
Server instances running the Exchange 2016
Client Access services role. The installation process varies slightly depending on how many Client
Access servers you have. The Duo installer stops and
then restarts IIS services on your Exchange Servers automatically. Open an administrator command prompt, and run the installer. Click next. Navigate back to the properties page for your OWA application
in the Duo Admin Panel. Copy the integration key, secret key, and API hostname, and past
them in the installer fields. If you leave the “Bypass Duo authentication when offline” box checked, then users will be able to log in to OWA without completing
two-factor authentication if the Duo Cloud service is unreachable. If you uncheck this box, then users will not be
able to log in to Duo if the service cannot be reached. Duo for OWA sends a user’s
Windows sAMAccountName to Duo’s service by default. To send the userPrincipalName
to Duo instead, check the “Use UPN username format” box. For this to work, OWA and ECP must be using Forms-Based Authentication, also known as FBA. The Duo for OWA documentation has a link to a Microsoft TechNet article that explains how to
enable FBA for Exchange. Note that if you enable the
UPN Username Format option, you must also change the
Username Normalization setting for your OWA application in
the Duo Admin Panel to “none”. Otherwise, Duo drops the
domain suffix from the username sent from OWA to our service, which may cause user mismatches
or duplicate enrollment. After configuring your
installation options, click Next. If you only have one Exchange Server running the client-access
server or services role, select the option to
automatically generate a new key. However, if you have
multiple Client Access server or services servers, then you should manually
generate a random string at least 40 characters long, and use the same string as the session key during installation on
each of the servers. The documentation contains
PowerShell commands to generate session keys. Click Next. Click Install. Click Finish. Now test your configuration. Go to the URL for the Outlook Web App, and enter your username and password. The Duo Prompt will appear, which enables the user to enroll, or complete two-factor authentication. Since this user has
already enrolled in Duo and activated the Duo Mobile
app on their smartphone, the user can select
Send Me a Push, Call Me, or Enter a Passcode. Select Send Me a Push to send a push notification to your phone. Open the notification on your phone, check the information to
ensure the login is legitimate, and approve it. You are now logged in. You have successfully set up Duo for Microsoft Outlook Web App. (light music)

Leave a Reply

Your email address will not be published. Required fields are marked *