This article is now 14 years old! It is highly likely that this information is out of date and the author will have completely forgotten about it. Please take care when following any guidance to ensure you have up-to-date recommendations.
Outlook Web access is a fantastic tool for our company, providing on-the-go
access to people’s mailboxes - which is of course secured by SSL and uses Forms
Based Authentication. Internally, we have an intranet portal that allows us to
access the various systems - one of which is OWA. One of the stipulations for
this internal portal is that it is all Single Sign On using NTLM authentication
integrated authentication. This is where the problem lies because enabling OWA
with Forms Based Authentication over SSL disables Integrated Authentication. So
our choice is to have users enter their credentials twice (not acceptable) or to
disable FBA and have external users log on with the annoying pop-up.
You can create a copy of the /Exchange and /Public Virtual Directories and
configure them to use Integrated Authentication. You can also restrict access to
Now, this step is optional, but read on anyway because you might want to think about it. I only want to allow people on my network to access this using Integrated Authentication, no one else, so I am going to restrict access to the Virtual Directory that I’ve just created to my IP subnet. To do this right click the newly created Virtual Directory (ExchangeIA) and select the “Directory Security” tab. Under “IP address and domain name restrictions” click “Edit”. Now select “Denied access” to deny anyone other than the exceptions, then click “Add..” and enter the details of your network to allow those computers access.