Exchange Server 2010 Outlook Web App Authentication Settings

Outlook Web App (OWA) is the webmail interface for Exchange Server 2010.  Most of you will already be familiar with the acronym OWA from previous versions of Exchange Server where webmail was named Outlook Web Access.

Outlook Web App is hosted on the Client Access Server role for Exchange Server 2010 and integrated with IIS 7.  The OWA URL is typically something like this:

https://webmail.mycompany.com/owa

To connect to Outlook Web App users must authenticate first.  The OWA virtual directory can be secured using different authentication settings depending on the network environment.

Exchange Server 2010 Outlook Web App Authentication Types

There are four authentication methods available for Exchange Server 2010 OWA.  They are:

Integrated Authentication – this allows domain users who are logged on to domain computers to automatically logon to Outlook Web App.  This is useful for internal Outlook Web App access as it simplifies the logon process for domain users (they don’t need to logon once to the computer and then a second time for OWA).  However Integrated Authentication is not suitable for remote access by people using non-domain member computers, or people who are connecting via proxy servers.

Basic Authentication – this uses the HTTP protocol to send the logon credentials to the server.  Because the credentials are sent “in the clear” the use of SSL is highly recommended for securing them.  Also, because Basic Authentication credentials can be cached in web browsers it is recommended to use an additional authentication factor (eg a one-time password from a token) to prevent unauthorized access from public kiosk computers using the cached credentials.

Logon dialog box for Outlook Web App using Basic Authentication

Digest Authentication – this method solves the problem with Basic Authentication where credentials are sent “in the clear” by sending a hashed password instead.  Digest Authentication also works through a proxy server unlike Integrated Authentication.  However Digest Authentication does have some other configuration requirements, such as the use of reversible encryption for password storage in Active Directory.  These may make it an undesirable option for many organiztions.

Forms-Based Authentication – this method uses a sign-in webpage on the server to collect logon credentials.  as with Basic Authentication the use of SSL with Forms-Based Authentication is highly recommended to protect the user credentials.

The Exchange Server 2010 OWA Logon Page

Forms-Based Authentication has three additional configuration options for how the user credentials are submitted.

  • Domain\Username – users enter their credentials in the format Domain\Username, using either the NETBIOS or FQDN for the domain name.
  • User Principal Name (UPN) – if this option is chosen only users who have a UPN specified that matches their email address will be able to logon to Outlook Web App.
  • [PS] C:\>Get-Mailbox "alan reid" | fl name, userprincipalname, primarysmtpaddress
    
    Name               : Alan.Reid
    UserPrincipalName  : Alan.Reid@exchangeserverpro.local
    PrimarySmtpAddress : Alan.Reid@exchangeserverpro.local
  • Username Only – with this option the Exchange administrator specifies a default domain for OWA logons, and users in that domain can logon with username only.  Users in other domains must still use Domain\Username.

Configuring Outlook Web App for Integrated Authentication

In this example the Exchange Server 2010 OWA virtual directory is being configured for Integrated Authentication.

Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

Configuring an Exchange Server 2010 OWA Virtual Directory

Select the Authentication tab.  Choose Use one or more Standard Authentication Methods and tick the Integrated Windows Authentication box.

Enabling Integrated Authentication for Exchange Server 2010 OWA

Click OK to apply the change.

To perform the same configuration using the Exchange Management Shell run this command.

[PS] C:\>Set-OwaVirtualDirectory "EX3\owa (Default Web Site)" -BasicAuthentication $false -WindowsAuthentication $true -DigestAuthentication $false

You will notice that three settings were specified in the command. This is because Basic, Integrated, and Digest Authentication can be enabled concurrently so that the OWA virtual directory supports multiple authentication methods. Because of this you should explicitly configure the authentication methods the way that you intend them to be set, rather than modifying only a single authentication method.

Configuring Outlook Web App for Forms-Based Authentication

In this example the Exchange Server 2010 OWA virtual directory is being configured for Forms-Based Authentication.

Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

Configuring an Exchange Server 2010 OWA Virtual Directory

Select the Authentication tab.  Choose Use forms-based authentication and then choose a logon format, in this example User name only.

Configuring Forms-Based Authentication for Exchange Server 2010 OWA

Click OK to apply the change.

To perform the same configuration using the Exchange Management Shell run the following command.

[PS] C:\>Set-OwaVirtualDirectory "EX3\owa (Default Web Site)" -FormsAuthentication $true -LogonFormat UserName -DefaultDomain exchangeserverpro.local

Other Steps When Changing Outlook Web App Authentication Settings

You will notice as you modify OWA virtual directory authentication settings that two additional steps are usually required:

  • Resetting IIS – this is required any time you switch to or from Forms-Based Authentication.  From a command prompt window run the following command:
  • iisreset /noforce
  • Modifying the ECP virtual directory – ECP stands for Exchange Control Panel and is the self-service web portal for end users to make changes to their mailbox, distribution lists they manage, and some other items.  The authentication method for this virtual directory should be configured to match the OWA virtual directory.

Comments

  1. Mohamed Abdel hamid says

    بسم الله الرحمن الرحيم
    thank you very much for your Tutorial
    i want ask about the best way to Outlook Web App Authentication

    i select Integrated Authentication and Digest Authentication this good and this need any more configure

    thank you again
    الله الموفق

    • says

      Hi Mohamed, what is “best” depends on your environment and how people are accessing OWA.

      Integrated Authentication is fine if you’re happy with how that works.

  2. Chanchal says

    Hi,

    I am new for exchange 2010 and i have enabled form based authantication and i am using Exchange SSL.
    What changes i need to made in IIS and exchage so that users will be able to access it from outside.

    Thanks in advance
    Chanchal Sharma

    • Uwe says

      Dear Chanchal,

      Yes both is possible and run well. You must change the UPN of the user with his email address.

      Then the user can logon with his SAM- or UPN account settings without the domain.

      Regards
      Uwe

  3. Jack says

    Hi Paul,
    Can I use all the three ways(Domain\User, UPN, User Only) to logon OWA at the same time? I mean whatever way I choose can logon the OWA at anytime.

    Thanks.

    • Uwe says

      Hi Jack,

      no it didn`t work because you must deside ether domain\user or only user (see above pic). The UPN is confured in ADUG at user level.

      Regards
      Uwe

  4. Carol Ostos says

    Having a bit of an issue with Outlook Web App. Moved some mailboxes from E2K3 to E2K10 and created new mailboxes just to see if the problem was to do with the mailbox move but seems that the problem persists regardless.

    Logon, Logoff, Error aspx pages load with no problems but seems like the browser cannot parse dll’s
    All these files are located under the auth folder.

    I have found some links that talk about adding preCondition= “bitness62″ to the isapifilters (Exchange OWA Cookie Authentication ISAPI Filter and Exchange ActiveSync ISAPI Filter) found on the applicationHost file on SystemRoot\inetsrv\config.

    I have performed Test-OwaConnectivity checks and I get the following

    VERBOSE: [00:03:38.762 GMT] Test-OwaConnectivity : Resolved current organization: .
    VERBOSE: [00:03:38.762 GMT] Test-OwaConnectivity : Adding a test instance for URL
    ‘https://casserverfqdn/’ specified with the -URL argument.
    VERBOSE: [00:03:39.778 GMT] Test-OwaConnectivity : [10:03:38.762] : The TrustAnySSLCertificate flag was specified, so
    any certificate will be trusted.
    VERBOSE: [00:03:39.778 GMT] Test-OwaConnectivity : [10:03:39.215] : Sending the HTTP GET logon request without
    credentials for authentication type verification.
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The HTTP request succeeded with result code 200
    (OK).
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The sign-in page is from Outlook Web App, not ISA
    Server.
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The server reported that it supports authentication
    method FBA.
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : This virtual directory URL type is External or
    Unknown, so the authentication type won’t be checked.
    VERBOSE: [00:03:41.090 GMT] Test-OwaConnectivity : [10:03:41.028] : Trying to sign in with method ‘Fba’.
    VERBOSE: [00:03:41.090 GMT] Test-OwaConnectivity : [10:03:41.028] : Sending HTTP request for logon page
    ‘https://casserverfqdn/owa/auth/owaauth.dll’.
    WARNING: [10:04:03.544] : The HTTP logon request returned the non-OK result code 302 (Found).

    Confirm
    Continue with this operation?
    [Y] Yes [A] Yes to All [H] Halt Command [?] Help (default is “Y”): A
    WARNING: [10:04:03.544] : The test encountered an error while signing in to Outlook Web App.
    HTTP code: 302
    WARNING: [10:04:03.544] : Test failed for URL ‘https://casserverfqdn/’.

    RunspaceId : 1a842b77-bbac-459d-a629-86e1fcbb942a
    AuthenticationMethod : FBA
    MailboxServer :
    LocalSite : SYDNEY
    SecureAccess : True
    VirtualDirectoryName :
    Url : https://casserverfqdn/
    UrlType : Unknown
    Port : 0
    ConnectionType : Plaintext
    ClientAccessServerShortName :
    LocalSiteShortName : SYDNEY
    ClientAccessServer :
    Scenario : Logon
    ScenarioDescription : Sign in to Outlook Web App and verify the response page.
    PerformanceCounterName : Logon Latency
    Result : Failure
    Error : The test encountered an error while signing in to Outlook Web App.
    HTTP code: 302
    UserName : xxxxxxxxx
    StartTime : 4/13/2012 10:03:40 AM
    Latency : -00:00:00.0010000
    EventType : Error
    LatencyInMillisecondsString :
    Identity :
    IsValid : True

    VERBOSE: [00:04:08.919 GMT] Test-OwaConnectivity : Admin Audit Log: Entered Handler:OnComplete.
    VERBOSE: [00:04:08.919 GMT] Test-OwaConnectivity : Ending processing &

    Any clues? I did not want to recreate the owa and ecp virtual directories.

    Something else to mention, I tried to run the script called UpdateCas.ps1 found on the bin directory with the hope to update any missing or corrupted files but no joy!

    Thanks!!!

    • Carol Ostos says

      Just an update, after my post, I have tried the following workarounds:

      a) Resetting the virtual directories for both owa and ecp. I have no issues performing these tasks, Both directories were removed and created again, I change the settings to include our externalURL but still no luck.

      b) Added preCondition= “bitness64″ to both isapifilters (Exchange OWA Cookie Authentication ISAPI Filter and Exchange ActiveSync ISAPI Filter) found on the applicationHost file on SystemRoot\inetsrv\config. Reset IIS and tried both ecp and owa but still no luck

      c) Checked Exchange FBA service was running.

      I’m out of options, what can I do? Thanks!!!!

  5. sidneyleusson says

    Hello, I have now set up user authentication for basic authentication, and I want to change to authentication by form, the steps do you say in your tutorial, but it does not work, it can be, I have exchange 2010. I have to do something else in the IIS?

  6. Leo S says

    This only seems to work for the logon page, not for the settings and options within OWA. pretty pointless IMHO.

  7. Chetan says

    Our current OWA access is to Forms Based Authentication.

    A requirement now is that if I am connected to the company network, I shouldn’t need to enter credentials, it should automatically do a Single-Sign-On to OWA. If I’m not on the network, I should be prompted for credentials, as is working now.

    Questions: Can OWA be configured with Windows Integrated Autrhentication for (internal ot network connected) users and also have other authentication (I’m thinking Digest, for security) so accessing OWA will prompt for credentails for external or non-network connected users?

    • Carol Ostos says

      We were using FBA for internal and planned to use it for external as well, we are now setting up Outlook Web App externally with TMG + RSA so we have changed the internal authentication method to Basic and Windows Integrated, so internally we dont need credentials when using IE, you do need to provide credentials if using other browser unless you say save my credentials, which wont be ideal if your password get cached you might have failed login attempts. So for external you can def have FBA. Good luck with your setup cause we are still unable to get RSA working ;(

  8. Chris says

    I should have known … the best info i found regarding authentication issues was right here, where i already subscribed to :-)

    Thanks Paul

  9. Brodiemac says

    I have everything setup according to this article. I was prompted to also change ECP and restart IIS which I did but we are still not getting Integrated Windows Authentication to work. It is still prompting for the input of username/password. Any ideas?

    • says

      If you’re using Integrated auth and you expect it to automatically login without prompting for credentials you need to make sure that the OWA URL is included in one of the Internet Explorer security zones where automatic login is enabled (usually either Trusted or Intranet zones will do it).

      • Brodiemac says

        We have that URL setup in the Trusted Zone in one of our group policies and yet people are still being prompted for login credentials.

        • taylor says

          hi I am running into the same issue where “integrated” security is selected but users are still getting prompt. how did you resolve the prompt issue?

  10. Sameer says

    Hi,

    i need to know how to configure integrated windows authentication for internal users and FBA for external users.

    thanks alot

  11. Martin Berard says

    We also would like if any succeeded in setting up en environement with integrated auth for internal use and form based for external users.

    Is it possible to install 2x OWA on the same server with different authentication settings and using virtual host such as: mail.mycompany.local vs mail.mycompany.com?

    Martin

  12. Varun Sharma says

    We installed a new Exchange server 2010 , setup is full loaded but when we open a OWA and enter the user name so it will not redirect to me webmail it shown the default owa webpage again.Kindly Help me out to resolve the issue even we already try with domian\user name & user name but it will not re-direct to me webmail.

    Kindly reply with solution.

  13. Kirld says

    Hi Paul,

    I have researched over the internet if it is possible.

    is it possible to restrict some users from accessing OWA on the public Internet? but have them access only on internal Network? If we are to disable OWA’s external access, all users will be affected, we only want to restrict some users but not all.

    Is it possible?

    Thanks in advance.

  14. Marjolein says

    Hi,

    I have set up 2 OWA sites, one with Windows Integrated Authentication and one with Forms Based. We are running the WIA site under a service account but it seems Exchange can’t handle that. Kerberos works fine (confirmed in info screen) but attachments can’t be previewed because the temporary folder that is used to store the attachments during viewing is set to allow access to the system account only. Have you ever come across this issue and if so, do you happen to know how to solve it?

    Kind regards,
    Marjolein

      • Marjolein says

        Hi Paul,

        Here’s my reasoning:
        – an SPN needs to be set on the A-record at which the site is addressed
        – for linux machines to work well with kerberos, a corresponding PTR record needs to exist as well
        – the Exchange hosts reside in a HLB configuration
        * conclusion: the webmail address needs it’s own A- and PTR record set to an address assoicated with the HLB and the SPN needs to be set at that record.
        Am I missing something?

  15. Brian Rota says

    Hello
    In Exchange 2003 if you have integrated configured and you logged on a PC without a mailbox you are prompted to fallback to basic and you can enter a username and password.
    In 2010 now these users get notified that the mailbox does not exist with no option to log in again.
    I have some generic computers that are logged on with accounts that do not have mailboxes. I know I can take the url out of the intranetzone but the customer is not sure of where all of the machines so a GPO may be tough.
    Is there a way to make 2010 to just reprompt for authentication if the logon account does not have a mail box like 2003 did?

    Thank you

  16. Aidan says

    Hi Paul,

    Is there a way to stop the login prompts when users are logging in from an untrusted domain?

    Users are logging in from as so:

    outlookdomain.local
    exchangedomain.global

    Autodiscover service is being found, but prompts for the password. Once accounts are setup the users are prompted for login details every time they open outlook.

    I have been able to resolve some users issues by using credentials manger in windows 7…but half the people on our network are still on XP/outlook 2007 (dont ask… :/ this is the environment i inherited…)

    If you could help me out here i would kiss you…or at the very least buy you a pint :)

    Kind regards,
    Aidan.

  17. Karthik says

    we have Exchange 2010 setup, how do i configure different passwords for domain user account and OWA.
    when ever i change the user password in AD, the same is being applied to OWA, which i don’t want. user should have two different passwords. Now i am using Integrated Authentication. please help.

  18. Leng says

    Hi Paul,

    interesting reading.Authentication method used in IIS and Exchange/Outook is always confusing,so never sure what to set.
    I have a issue that every time i start outlook at Internal network,it always ask me for credential.If i close outlook and start again it doesn’t ask for credential.This only happens when i start my computer in the morning.
    Is this problem iisauthentication error (since its set to Basic),or do you think this problem is elsewhere?
    Weird part is that not everyone in the office is having this problem.Running multiple version of win 7,win8 and Outlook 2010/2013.
    Have seen this problem occurred for the others, 2 weeks before password expires and user have to renew their password.After they renew their password its fine.
    Me i have renewed password without any help.

    thanks!

  19. says

    Hi.
    I am still having a problem where outlook suddenly prompts users for Passwords.
    Noticed that at that particular moment it is trying to connect via HTTP (Webmail server). what authentication settings should i use so that outlook on the LAN will connect automatically (if it tries to connect to my Webmail server rather than the local CAS) and users externally will be prompted for credentials when trying to connect to outlook anywhere.
    Although i have removed both tick from the check boxes within the outlook exchange proxy settings as below

    On fast networks, connect using HTTP first, then connect using TCP/IP
    On slow networks, connect using HTTP first, then connect using TCP/IP

    But outlook on the LAN still attempts to fail-over to connecting to the Webmail server and prompting for a Password.

    I am also using basic authentication in my Exchange proxy settings

    Please assist / advise

    • says

      My guess is your OWA namespace (URL) and Outlook Anywhere namespace are the same.

      I think what you’re seeing is Outlook clients failing to make a direct TCP/IP connection and attempting an Outlook Anywhere connection.

      With Outlook Anywhere configured for Basic authentication it is quite normal to see an authentication prompt appear.

      • says

        thank you for the reply.

        MY OWA name space and Outlook anywhere name space are correct.

        You are exactly right with the clients trying to use outlook anywhere when they may detect a slow or no LAN connectivity.
        But how do i get PC’s on the LAN to seamlessly make that connection without prompting for a password.

        My OWA settings on my 2 CAS servers on the LAN are using Windows Authentication. So in theory they should not prompt for a password on the LAN…. ????

        And my actual OWA server is configured for Form Based Authentication so that users externally are prompted for a Password.

  20. Mat says

    With IIS advanced logging enabled, i can track successful OWA attempts with the client IP address.

    However with failed OWA attempts it throws an information in the security log of event viewer (4625 ID), but here it does not display the source ip or the client IP.

    What do i need to do to allow tracking of bad attempts of OWA logon in IIS advanced logging ?

    Thank you Sir

  21. Steve Hodges says

    Having problems with OWA – log into any website, then open and log into OWA, then logout of OWA; all your other websites are also logged out. Please help!

      • Steve Hodges says

        When you go to a website, any site, and log in; bank, insurance, irs, any websites you have logons for, I even tried with multiple sites at the same time. with these sites open and logged into, you open another IE tab or window, connect to the OWA server and login, check your e-mail, and logout of OWA; switch to your other windows and / or tabs and you find you are magically logged out of all your sites. I have confermed this with multiple websites on multiple computers on multiple domains and with multiple OWA servers.

      • Steve Hodges says

        Paul,
        Looks like it is related to the shared sessions (tabbed browsing) in Internet Explorer because if I use a new IE session for my OWA, logging off doesn’t affect my other websites. I still think OWA is doing something different because logging off my bank or insurance sites don’t log me off of everything else. Please let me know if you’ve found a solution; perhaps a setting on the Exchange server or in IE.

        Thanks,
        Steve

  22. says

    I have set up 2 OWA sites, one with Windows Integrated Authentication and one with Forms Based. We are running the WIA site under a service account but it seems Exchange can’t handle that. Kerberos works fine (confirmed in info screen) but attachments can’t be previewed because the temporary folder that is used to store the attachments during viewing is set to allow access to the system account only. Have you ever come across this issue and if so, do you happen to know how to solve it?

    • Marjolein says

      Hi Kayla,

      We encountered the same problem when we were using a service account. What you can do is use alternate service credentials in Exchange 2010. That way the IIS service can run with the system account while everything else works with the service account (see my reply in this thread on April 17, 2013 at 10:24 pm).

      Hope this helps,
      Marjolein

  23. Tony says

    Hi I am using exchange 2010 from my firewall I have forwarded port 443 https tragic to my exchange server to be more secure we want user first authenticate (Reverse proxy) and then Owa page open for authentication as Tmg is endof life what solution is available ?

  24. Matt says

    Paul – the problem I am running into is that i am going to create generic users because our staff tends to play musical chairs way too much, which causes my support to setup multiple profiles in outlook. The plan was to use a generic login and then have them go to owa for their email. major problem with that because we have multiple web apps that we have to log into and if they logout of owa it kills authentication cache, which kills my other apps – if you are running one instance of IE. two instances it’s fine but I might as well talk to a wall explaining this to my generic users. firefox works but our web apps won’t run on FF because the apps were written crappy. Do I create an internal site using basic authentication and leave the external forms based. I have smartphones so I do not want to screw that up but pretty sure activesync takes care of that or is it tied to it somehow. Thanks

    • says

      I’m baffled by your scenario. I understand you’re the one dealing with it directly so it probably makes sense to you.

      A user can login to a domain workstation with their account and Outlook will autodiscover and autoconfig their profile settings for them. What need is there for support to set up new profiles every time a user moves?

      Generic logins are a bad idea from a security perspective and pointless if they are just going to login to their own mailbox afterwards anyway (see comment above).

      I have no idea why logging out of OWA logs out your other apps. It has never happened to me so perhaps there is something specific about your situation that Microsoft Support could assist you with.

      • Steve Hodges says

        Paul – The OWA issue of logging you out of other web apps is the same thing I asked you about back on 2/18; seems to be an IE issue with shared sessions, when you open OWA in another tab and login, logging out of OWA loges you out of everything in that session but if you launce a new instance of IE to log into OWA everything works fine. I have tried this with multiple web sites and OWAs.

  25. Deanne Barton says

    Hi Paul

    We are using Forms-based authentication with User name only, therefore users have to use their domain log in credentials. As we set up users for EAS as well is it possible to use both Domain or UPN or can it only be one or the other?

  26. Casey Thompson says

    I had an issue in our organization where users were not able to delete or move emails using OWA. The only two changes I had made to our Exchange servers prior to this issue surfacing was updating the SSL certificate and updating all of our Exchange servers with RU5 for Exchange 2010 SP3. I had racked my brains trying different troubleshooting steps and reading through many forums. It turned out that the issue centered on an authentication setting in the ECP virtual directory. The anonymous authentication setting was set to enabled. I change this setting to disabled to match the setting for the OWA anonymous authentication setting. Once completing that task and then restarting IIS on both of our CAS servers, the issue was resolved and users were once again able to delete emails and move emails to different folders in OWA. The error that popped up when the issue was happening stated that a configuration on the server was incorrect and to contact the IT department. Hope this information is helpful to someone else who may be struggling with this issue. As always, thanks to Paul for another great article on an important topic in Exchange.

  27. Cesar Perez says

    Hi Paul, excelent your Page congratulaions.

    I hope you can help me,

    I have one Domain CONTOSO.COM, i have 1 Server with only Rol CAS and i have 3 Servers with the Rol CAS, MAIL, and CLIENT ACCESS.

    when i access to OWA dor Internet, I can view my page OWA, when I put my user and password I can acess without trouble.

    My Accouns this in The Server 01, but when I put other Acoount that is in other Server (Example Server 02) I get an Error that CANOT FIND THE SERVER SERVER 02

    I tried configure the redirecction in the IIS, but appears the same error.

    Thanks.

    Note: Sorry for my English.

    • says

      You shouldn’t need to do anything in IIS for this to work.

      All of the CAS in the same AD Site should have the same external URL configured on their OWA virtual directory. Ideally you would also load balance them. Either way, when you hit that OWA URL the CAS should be able to access the mailbox on any server within the site.

Leave a Reply

Your email address will not be published. Required fields are marked *