Outlook Web Access over SSL using Forms Based Authentication AND Integrated Authentication
Outlook Web access is a fantastic tool for our company, providing on-the-go
access to people's mailboxes – which is of course secured by SSL and uses Forms
Based Authentication. Internally, we have an intranet portal that allows us to
access the various systems – one of which is OWA. One of the stipulations for
this internal portal is that it is all Single Sign On using NTLM authentication
– integrated authentication. This is where the problem lies because enabling OWA
with Forms Based Authentication over SSL disables Integrated Authentication. So
our choice is to have users enter their credentials twice (not acceptable) or to
disable FBA and have external users log on with the annoying pop-up.
You can create a copy of the /Exchange and /Public Virtual Directories and
configure them to use Integrated Authentication. You can also restrict access to
them by IP…here's how:
I'm assuming you've already set up OWA with SSL on your Exchange server. If you need to do that, try How
do I configure OWA to use SSL? at Daniel Petri's site
- Log onto your Exchange Server, and open up the IIS control panel. Locate
your /Exchange and /Public virtual directories.
- Right click /Exchange, select "All Tasks" and then "Save Configuration to a
- Go through the dialogue, save to a file and if you're worried about security, add a password.
- Once you're done, right click any white space in the root web site (or the exchange web site) and select "New", then select "Virtual Directory (from file)…"
- You will be presented with the "Import Configuratio" dialogue, click "Browse…" and select the file you've just created. Click "Read File" and select the Exchange location underneath
- Click "OK" and you'll be asked to provide a new name, or replace the existing Virtual Directory – select create a new one and put an appropriate name (I uses ExchangeIA)
- Now, this step is optional, but read on anyway because you might want to think about it. I only want to allow people on my network to access this using Integrated Authentication, no one else, so I am going to restrict access to the Virtual Directory that I've just created to my IP subnet. To do this right click the newly created Virtual Directory (ExchangeIA) and select the "Directory Security" tab. Under "IP address and domain name restrictions" click "Edit". Now select "Denied access" to deny anyone other than the exceptions, then click "Add.." and enter the details of your network to allow those computers access.
- Now head back to step 1 and repeat for the /Public folder, if Integrated Authentication is required for Public Folders.