You have an Exchange 2010 organization. Your company’s security policy states that all connections
to Outlook Web App (OWA) must use smart card authentication. You need to recommend a solution
to meet the security policy requirements. Which two possible ways to achieve this goal should you
recommend? (Each correct answer presents a complete solution. Choose two.)
A.
Require certificate-based authentication for all Internet-facing Client Access servers.
B.
Require Windows Integrated Authentication for all Internet-facing Client Access servers.
C.
Deploy an Edge Transport server and then disable Windows Integrated Authentication.
D.
Deploy a server that runs Microsoft Internet Security and Acceleration (ISA) Server and enable
Kerberos constrained delegation.
Explanation:
Microsoft® Internet Security and Acceleration (ISA) Server 2006 can publish Web servers and
authenticate users to verify their identity before allowing them to access a published Web server. If
a published Web server also needs to authenticate a user that sends a request to it and if the ISA
Server computer cannot delegate authentication to the published Web server by passing user
credentials to the published Web server or impersonating the user, the published Web server will
request the user to provide credentials for a second time. ISA Server can pass user credentials
directly to a Web published server only when these credentials are received using Basic
authentication or HTTP forms-based authentication. In particular, credentials supplied in a Secure
Sockets Layer (SSL) certificate cannot be passed to a published server.
ISA Server 2006 introduces support for Kerberos constrained delegation to enable published Web
servers to authenticate users by Kerberos after their identity has been verified by ISA Server using a
non-Kerberos authentication method. When used in this way, Kerberos constrained delegation
eliminates the need for requiring users to provide credentials twice. For example, because it is
unrealistic to perform Kerberos authentication over the Internet, SSL certificates might be used for
authenticating users at the ISA Server computer. After ISA Server verifies the user’s identity, ISA
Server cannot pass the SSL client certificate provided by the user to a published server, but it can
impersonate the user and obtain a Kerberos service ticket for authenticating the user (client) to a
published Web server.
An ISA Server computer serving as a firewall that sits between the Internet and your organization’s
intranet must authenticate clients that send requests over the Internet to servers in your
organization to prevent attacks from anonymous and unauthorized users. Every organization
determines which authentication method can ensure that external clients are identified with
sufficient confidence and that unauthorized clients cannot gain access to a published internal server.
Many large organizations (including Microsoft) are moving toward the use of smart cards, which are
actually just secured storage devices for an SSL client certificate, as a means to identify their users
instead of relying on passwords. Smart cards enable two-factor authentication based on something
that the user has (the smart card) and something that the user knows (the personal identification
number (PIN) for the smart card), providing a more secure level of authentication than passwords.
Internal servers often need to authenticate users who send requests to them both from computers
on the Internet and from computers on the intranet within the organization. For example, a mail
server must verify the identity of users, including internal users, before allowing them access to the
appropriate personal mailboxes. The authentication performed by an edge firewall clearly does not
fully meet the needs of these servers. If ISA Server can forward a user’s credentials to an internal
server, there is no need to prompt the user for a second time to obtain appropriate credentials.
However, when SSL client certificates are used, ISA Server cannot delegate a user’s credentials to an
internal mail server, such as a Microsoft Exchange server, because ISA Server never receives a
password that can be passed on to that server. There is also no way to forward an SSL client
certificate to another server. This is an intended security feature of the SSL protocol. Kerberos
constrained delegation provides a way for ISA Server to impersonate a user sending a Web request
and authenticate to specific services running on specific, published Web servers, including Exchange
Outlook Web Access servers, when ISA Server knows only the user name after it verifies the identity
of the user.
