Is it possible to authenticate Outlook users with certificates on RPC over HTTPS?

Question

I would like to understand the possibility to limit access from Internet to Exchange (RPC over HTTPS in Outlook) by requiring the machine or user to present a client certificate (before the login session). Is this at all possible with Exchange 2010?

I saw a lot of docs for the Active Sync part (where this is possible) but I just recall seeing once a technical document for client certificate authentication with RPC over HTTPS (and frankly speaking, I am not that sure I saw it, since I cannot find it again despite repeated searches).

Alternatively: is it possible to request an NTLM token as the sole authentication mechanism (which would be available only from a domain controller, thus rejecting machines from outside the domain)?

Answer 1

You can definitely use NTLM auth, especially if you only have users connecting that are logging on with their domain credentials to their workstations (even cached credentials).

NTLM authentication: If you select this authentication type, exchange does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. So, when Outlook is trying to connect to Exchange and if the machine is domain joined, there isn’t a need to provide password.

You can't use a client cert that I'm aware of. I don't think Outlook has a means of passing the cert along. If you look at the auth mehthods, the only thing close to this would be a 2-factor auth using a smart card.

Links:

Configure Authentication for Outlook Anywhere

Configure Smart Card Authentication for Outlook Anywhere