Duo adds two-factor authentication to OWA logins, offering inline self-service enrollment and authentication with Duo Universal Prompt.
Yes, as of version 2.0.0 for Exchange 2013 and later on Windows 2016 and later. Please see the update instructions to install the latest version with Universal Prompt support, and then once you authenticate to Duo using the updated application you can activate the Universal Prompt experience for your users.
Duo supports Exchange 2013 and later installations on Windows Server 2016 and later.
Duo's last day of support for OWA 2010 was February 15, 2021. Microsoft Exchange 2010 reached the end of support on October 13, 2020.
Microsoft ended support for Windows Server 2012 and 2012 R2 on October 10, 2023.
Microsoft ended support for Windows Server 2008 and 2008 R2 on January 14, 2020.
Duo's last day of support for installation and use of any Duo applications on Windows operating systems or with Microsoft applications corresponds with the Microsoft end of support. We strongly urge you to upgrade to current versions of Microsoft operating systems and applications.
Enter the following command into PowerShell or a Command Prompt to silently install Duo for OWA with default options (note that the MSI filename changes to reflect the version):
v2.0.0 and later:
msiexec.exe /i duo-owa-2.0.0.msi DUO_CLIENT_ID="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_CLIENT_SECRET="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn
Up to v1.3.3:
msiexec.exe /i duo-owa-1.3.2.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /qn
The parameter names passed to the installer (DUO_CLIENT_ID, DUO_CLIENT_SECRET, DUO_IKEY, DUO_SKEY, DUO_HOST, etc.) are case-sensitive!
You can also choose to change the default settings for fail mode to fail closed with FAILOPEN="#0"
, specify UPN as the username format sent to Duo instead of the sAMAccountName with DUO_USEUPNUSERNAME="#1"
, or define a shared session key on multiple OWA servers with DUO_AKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
(The AKEY is a string that you generate and keep secret from Duo; it should be at least 40 characters long.).
To silently remove Duo for Windows Logon from your environment, run the following command from PowerShell or an elevated command prompt, specifying the MSI file for the version of Duo for OWA currently installed:
msiexec.exe /x duo-owa-2.0.0.msi /qb
Duo for OWA 2.0.0 supports TLS 1.2 and greater.
Duo for OWA 1.3.2 and 1.3.3 support TLS 1.0 and greater.
Duo is committed to ensuring our products adhere to the latest security recommendations. Microsoft recommends disabling TLS 1.0 & TLS 1.1 due to risk of potential security vulnerabilities. Learn more about Microsoft's position on TLS 1.0 and 1.1 in the white paper Solving the TLS 1.0 Problem.
As a result, Duo for Outlook Web Access (OWA) 1.3.2 and 1.3.3 on Exchange 2013 and later require .NET 4.5 or later present before installation to support TLS 1.2.
Updated .NET Minimum Requirements for OWA:
Duo also requires the "IIS Management Scripts and Tool" feature for installation.
The PowerShell commands for installing these features are:
Import-Module ServerManager
Add-WindowsFeature NET-Framework-45-Features
Add-WindowsFeature NET-Framework-45-ASPNET
Add-WindowsFeature NET-WCF-HTTP-Activation45
Add-WindowsFeature Web-Scripting-Tools
Additionally, these OWA-related IIS application pools must use .NET v4.0.30319 or later.
Typically no changes are needed to the IIS application pools. However, if you changed your OWA app pool settings from the Exchange defaults in the past you may need to adjust your pool .NET settings before installing Duo. You can change this from IIS Manager if necessary:
As of v2.0.0 Duo for OWA requires .NET framework 4.7.1 or later, and does not require ASP.NET 4.5 for IIS or the "IIS Management Scripts and Tool" feature.
TLS 1.1 and TLS 1.2 are not supported by Duo for OWA on Exchange 2010 due to limitations with Exchange Server 2010 and .NET Framework 3.5. Use TLS 1.0.
Duo's last day of support for OWA 2010 was February 15, 2021. Microsoft Exchange 2010 reached the end of support on October 13, 2020.
Consider migrating your organization to a later Exchange version to gain enhanced TLS compatibility, as well as numerous security and usability improvements.
Install Duo Security's OWA application on the Microsoft Exchange server(s) that have the "Client Access Server role" or "Client Access services" installed. Other Exchange roles (like the Mailbox role) may also be present. We recommend installing Duo on the outermost client access servers.
Yes, client access of the ECP web site will also require Duo authentication. If you already completed Duo authentication when logging on to your mailbox, you will not see an additional Duo prompt when accessing ECP settings.
Outlook Anywhere (also known as RPC over HTTPS) continues to work as it did prior to installing Duo. Duo's OWA application does not add two-factor authentication to the RPC endpoint. Outlook clients will not see an MFA prompt. We recommend against exposing the Outlook Anywhere endpoint to external access.
ActiveSync continues to work as it did prior to installing Duo. Duo's OWA application does not add two-factor authentication to the EWS and ActiveSync endpoints. ActiveSync clients will not see an MFA prompt. We do not recommend exposing the ActiveSync endpoint to external access.
Yes, as of version 1.2.0.
Yes, as of version 1.3.2.
Installing Duo's protection for OWA modifies some of Exchange's XML application configuration files. Exchange 2010 and 2013 CU installers overwrite any customizations to the XML files (see Microsoft TechNet for details). Remove and reinstall the Duo application after the CU install is completed.
This issue with overwriting the XML configuration files during CU install was corrected in Exchange 2016 CU 1, but has been observed again in later cumulative updates. Therefore, we recommend always uninstalling Duo for OWA before applying any CU and reinstalling Duo for OWA after CU install success.
If the Bypass Duo authentication when offline box is selected during installation, authentication attempts "fail open" after primary authentication is successful if the Duo service cannot be contacted. If you leave that option unchecked during install, Duo for OWA logins "fail closed", blocking OWA access if there is a problem contacting the Duo service.
Duo for OWA v1.x installers enabled fail open by default. Duo for OWA v2.x installers now default to fail closed for new installs and upgrades from v1.x, but upgrades from v2.0.0 to later releases preserve the installed fail mode selection.
This setting is controlled by a Registry DWORD value FailOpen
, with 1 allowing fail open and 0 preventing fail open.
To change the fail mode:
Launch the Registry Editor (regedit.exe) as an administrator.
Locate the registry REG_DWORD value FailOpen
and change the current value to 0 or 1 as desired
Duo OWA Version | Registry Path |
---|---|
1.x.x | HKLM\SOFTWARE\Duo Security\DuoIis\FailOpen |
2.0.0+ | HKLM\Software\Duo Security\DuoOwa\FailOpen |
Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoOwa" /v FailOpen /t REG_DWORD /d 1 /f
in PowerShell to create or update the registry value for "fail open" (substituting 0
for 1
to "fail closed").
After changing this setting restart the IIS server with iisreset
.
When troubleshooting an issue with OWA logins Duo support may request debug output from our application. You can enable this via a new registry value.
To turn on debug logging:
Launch the Registry Editor (regedit.exe) as an administrator.
Create a registry REG_DWORD value Debug
set to 1.
Duo OWA Version | Registry Path |
---|---|
1.x.x | HKLM\Software\Duo Security\DuoIis\Debug |
2.0.0+ | HKLM\Software\Duo Security\DuoOwa\Debug |
Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoOwa" /v Debug /t REG_DWORD /d 1 /f
in PowerShell to create or update the registry value.
After changing this setting restart the IIS server with iisreset
.
Events are written as entries in the "Duo IIS Integration" event log under "Applications and Services Logs" in the Event Viewer.
To disable debug logging, set the Debug
value to 0, or delete it entirely. Perform another iisreset
to apply the change.
Duo for OWA sends a user's sAMAccountName to Duo as the Duo username by default. You can change the username format sent to Duo to userPrincipalName (UPN) starting with version 1.3.2.
For this to work, OWA and ECP must be using Forms-Based Authentication (FBA). Learn how to enable FBA for Exchange 2010, 2013, and 2016 at Microsoft TechNet.
If you enable this option, you must also change the properties of your OWA application in the Duo Admin Panel to change the "Username normalization" setting to None, or Duo will drop the domain suffix from the username sent from OWA to our service, which may cause user mismatches or duplicate enrollment.
Choose to send userPrincipalName usernames to Duo during installation by selecting the Send username to Duo in UPN format box in the Duo installer.
Enabling this setting after Duo installation requires creating a new registry value.
To change the username format to UPN:
Launch the Registry Editor (regedit.exe) as an administrator.
Create a registry REG_DWORD value UseUpnUsername
set to 1 to enable UPN username format.
Duo OWA Version | Registry Path |
---|---|
1.x.x | HKLM\Software\Duo Security\DuoIis\UseUpnUsername |
2.0.0+ | HKLM\Software\Duo Security\DuoOwa\UseUpnUsername |
Alternatively, you can enter the command reg add "HKLM\Software\Duo Security\DuoOwa" /v UseUpnUsername /t REG_DWORD /d 1 /f
in PowerShell to create or update the registry value.
After changing this setting restart the IIS server with iisreset
.
If you installed Duo on multiple Exchange servers be sure to make the same registry change on each server.
Test-OWAConnectivity
cmdlet after Duo is installed?Yes! If using Duo 1.2.x and earlier, first create a dedicated monitoring user account and mailbox (this is easily accomplished with Exchange's new-TestCasconnectivityUser.ps1
PowerShell script). Next, add that monitoring user to Duo and set that user's status to Bypass. There is no need to activate a device for the monitoring user.
With Duo OWA v1.3.2 and later, you do not need to create the Exchange health mailboxes as Duo users as we bypass 2FA for them automatically.
Ensure that you are installing Duo on an Exchange server that holds the Client Access Server role. Additionally, make sure to run the Duo MSI install package from an elevated command prompt (right-click and run as administrator).
Duo's application for OWA supports SSL offloading for Exchange 2010, 2013, and 2016 starting with version 1.2.0.
Prerequisites:
X-Forwarded-Proto
and X-Forwarded-For
headers in HTTP requests to your Exchange CAS role servers. Consult your load balancing solution vendor for instructions.Verify that HTTP access to OWA and ECP sites works before installing Duo.
Once you install Duo for OWA make the following registry changes in order to permit HTTP requests from your load balancer:
iisreset
command.You'll also need to disable the SSL requirement for the Duo IIS virtual directory (just like you did earlier for OWA and ECP).
iisreset
command.Finally, if you have any content switching rules or other configuration on your load balancer that allows explicit access to the /owa and /ecp virtual sites on your CAS hosts, update these rules to allow access to the /duo virtual site created by the Duo for OWA installer. If you configured the rule that sends the required X-Forwarded-Proto
and X-Forwarded-For
headers only for the /owa and /ecp virtual sites you may also need to add a similar rule for the new /duo virtual site. Consult your load balancing solution vendor for instructions.
Any errors generated by Duo for SSL offloading (such as missing X-Forwarded-Proto header or permitted host IP or name not found in registry) are written to the Windows Application log.
Possible errors and resolutions:
Duo authentication cannot accept a cleartext (http) connection
: Verify that the PermitInsecureRequests registry value exists and is set to 1 (true) and that you ran iisreset
after the registry edits.Rejecting cleartext request from hostname due to lack of x-forwarded-for
: Verify that your load balancer is sending the X-Forwarded-For header to the CAS server.Rejecting cleartext request from hostname due to lack of correct x-forwarded-proto
: Verify that your load balancer is sending the X-Forwarded-Proto header to the CAS server.Rejecting cleartext request from untrusted machine hostname
: Verify that the host name or IP reported in the error has been added as a String value under the InsecureHostList registry key and that you ran iisreset
after the registry edits.Duo protection for Outlook Web App doesn't extend to Office 365 or Exchange Online mailbox logons. To require Duo 2FA for Exchange Online access you may deploy one of Duo's solutions for Office 365 access. Configure a Remembered Devices policy "for all protected web applications" and apply it to both your OWA and Office 365 Duo applications to avoid multiple Duo authentication prompts when redirected from Exchange to Office 365 and vice-versa.
No, the OWA app for iOS does not support multifactor authentication. Microsoft retired the OWA mobile apps on May 15, 2018. The native mail app for iOS will still work after Duo for OWA installation, providing mailbox access without MFA.
The username normalization setting was moved from a checkbox in the OWA MSI installer to an application option in the Duo Admin Panel starting with version 1.1.1 of Duo for OWA. If you are upgrading from an older version of Duo's OWA application to 1.1.1 or later, login to the Duo Admin Panel and ensure that you have username normalization set to Simple in the properties of your OWA application.
We do not test integration with SBS or Server Essentials and cannot guarantee support for those platforms.
Need more help? Try searching our OWA Knowledge Base articles or Community discussions. For further assistance, contact Support.