Exchange 2013 CBA Setup Review

溫故知新 !基於上星期Upgrade Exchange 2013 由 CU13 Upgrade 去 CU21。因為Server 係上年用特別手段Split出嚟。所以Upgrade到臨尾出視。迫於無奈要Delete兩個Exchange Website。呢個星期真正起過一隻新Server去做CAS。
過程無特別要多講因為非常順利,但係如同上年一樣,CBA先係最大難關。係再Review Article嘅途中,就睇到最進口嘅一環。就係Certificate嘅Subject係要有User嘅Email,或者Certificate嘅SAN Name有User UPN。
唔跟呢Part就會出IIS Error 403.7

Prerequisites:

You need access to a CA for client certificates. This can be a public CA solution, individual certificates from a vendor, or an Active Directory Certificate Services solution. Regardless, the following requirements must be met:

  • The user certificate must be issued for client authentication. The default User template from an AD CS server will work in this scenario.
  • The User Principal Name (UPN) for each user account must match the Subject Name field in the user’s certificate.
  • All servers must trust the entire CA trust chain. This chain includes the root CA certificate and any intermediate CA certificates. These certificates should be installed on all servers that may require them, to include (but not limited to) ISA/TMG/UAG server(s) and the Client Access Server (CAS).
  • The root CA certificate must be in the Trusted Root Certification Authorities store, and any intermediate CA certificates in the intermediate store on all of these systems. The root CA certificate, and intermediate CA certificates must also be installed on the EAS device.
  • The user’s certificate must be associated with the user’s account in Active Directory

Reference URL

https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-certificate-based-auth?view=exchserver-2019

https://blogs.technet.microsoft.com/exchange/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync/

過程無特別要多講因為非常順利,但係如同上年一樣,CBA先係最大難關。係再Review Article嘅途中,就睇到最進口嘅一環。就係Certificate嘅Subject係要有User嘅Email,或者Certificate嘅SAN Name有User UPN。
唔跟呢Part就會出IIS Error 403.7