How-to – Exchange Server 2010 Outlook Web App Authentication Settings

0
1471

Outlook Web App (OWA) is the webmail interface for Exchange Server 2010.  Most of you will already be familiar with the acronym OWA from previous versions of Exchange Server where webmail was named Outlook WebAccess.

Outlook Web App is hosted on the Client Access Server role for Exchange Server 2010 and integrated with IIS 7.  The OWA URL is typically something like this:

https://webmail.mycompany.com/owa

To connect to Outlook Web App users must authenticate first.  The OWA virtual directory can be secured using different authentication settings depending on the network environment.

Exchange Server 2010 Outlook Web App Authentication Types

There are four authentication methods available for Exchange Server 2010 OWA.  They are:

Integrated Authentication – this allows domain users who are logged on to domain computers to automatically logon to Outlook Web App.  This is useful for internal Outlook Web App access as it simplifies the logon process for domain users (they don’t need to logon once to the computer and then a second time for OWA).  However Integrated Authentication is not suitable for remote access by people using non-domain member computers, or people who are connecting via proxy servers.

Basic Authentication – this uses the HTTP protocol to send the logon credentials to the server.  Because the credentials are sent “in the clear” the use of SSL is highly recommended for securing them.  Also, because Basic Authentication credentials can be cached in web browsers it is recommended to use an additional authentication factor (eg a one-time password from a token) to prevent unauthorized access from public kiosk computers using the cached credentials.

exch-webapp

Digest Authentication – this method solves the problem with Basic Authentication where credentials are sent “in the clear” by sending a hashed password instead.  Digest Authentication also works through a proxy server unlike Integrated Authentication.  However Digest Authentication does have some other configuration requirements, such as the use of reversible encryption for password storage in Active Directory.  These may make it an undesirable option for many organiztions.

Forms-Based Authentication – this method uses a sign-in webpage on the server to collect logon credentials.  as with Basic Authentication the use of SSL with Forms-Based Authentication is highly recommended to protect the user credentials.

exch-webapp-1

Forms-Based Authentication has three additional configuration options for how the user credentials are submitted.

  • Domain\Username– users enter their credentials in the format Domain\Username, using either the NETBIOS or FQDN for the domain name.
  • User Principal Name (UPN)– if this option is chosen only users who have a UPN specified that matches their email address will be able to logon to Outlook Web App.
[PS] C:\>Get-Mailbox "alan reid" | fl name, userprincipalname, primarysmtpaddress

Name               : Alan.Reid
UserPrincipalName  : [email protected]
PrimarySmtpAddress : [email protected]
  • Username Only– with this option the Exchange administrator specifies a default domain for OWA logons, and users in that domain can logon with username only.  Users in other domains must still use Domain\Username.

Configuring Outlook Web App for Integrated Authentication

In this example the Exchange Server 2010 OWA virtual directory is being configured for Integrated Authentication.

Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

exch-webapp-2

Configuring an Exchange Server 2010 OWA Virtual Directory

Select the Authentication tab.  Choose Use one or more Standard Authentication Methods and tick theIntegrated Windows Authentication box.

exch-webapp-3

Click OK to apply the change.

To perform the same configuration using the Exchange Management Shell run this command.

[PS] C:\>Set-OwaVirtualDirectory "EX3\owa (Default Web Site)" -BasicAuthentication $false -WindowsAuthentication $true -DigestAuthentication $false

You will notice that three settings were specified in the command. This is because Basic, Integrated, and Digest Authentication can be enabled concurrently so that the OWA virtual directory supports multiple authentication methods. Because of this you should explicitly configure the authentication methods the way that you intend them to be set, rather than modifying only a single authentication method.

Configuring Outlook Web App for Forms-Based Authentication

In this example the Exchange Server 2010 OWA virtual directory is being configured for Integrated Authentication.

Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

exch-webapp-4

Configuring an Exchange Server 2010 OWA Virtual Directory

Select the Authentication tab.  Choose Use forms-based authentication and then choose a logon format, in this example User name only.

exch-webapp-5

Click OK to apply the change.

To perform the same configuration using the Exchange Management Shell run the following command.

[PS] C:\>Set-OwaVirtualDirectory "EX3\owa (Default Web Site)" -FormsAuthentication $true -LogonFormat UserName -DefaultDomain exchangeserverpro.local

After you enable Forms-Based Authentication you might notice that Basic Authentication is also enabled on the OWA virtual directory, even if it was not enabled previously. This is because OWA virtual directories that are configured for Forms-Based Authentication will fall back to Basic Authentication when necessary, for example when they are published to the internet using an ISA Server 2006 or Forefront TMG reverse proxy server. In that situation the ISA or TMG publishing rule should be configured for Authentication Delegation using Basic Authentication.

Other Steps When Changing Outlook Web App Authentication Settings

You will notice as you modify OWA virtual directory authentication settings that two additional steps are usually required:

  • Resetting IIS – this is required any time you switch to or from Forms-Based Authentication.  From a command prompt window run the following command:
iisreset /noforce
  • Modifying the ECP virtual directory – ECP stands for Exchange Control Panel and is the self-service web portal for end users to make changes to their mailbox, distribution lists they manage, and some other items.  The authentication method for this virtual directory should be configured to match the OWA virtual directory.

[This is a rivisited page. Original source page] http://exchangeserverpro.com