Exchange Server 2010 Outlook Web App Authentication Settings

Outlook Web App (OWA) is the webmail interface for Exchange Server 2010.  Most of you will already be familiar with the acronym OWA from previous versions of Exchange Server where webmail was named Outlook Web Access.

Outlook Web App is hosted on the Client Access Server role for Exchange Server 2010 and integrated with IIS 7.  The OWA URL is typically something like this:

https://webmail.mycompany.com/owa

To connect to Outlook Web App users must authenticate first.  The OWA virtual directory can be secured using different authentication settings depending on the network environment.

Exchange Server 2010 Outlook Web App Authentication Types

There are four authentication methods available for Exchange Server 2010 OWA.  They are:

Integrated Authentication – this allows domain users who are logged on to domain computers to automatically logon to Outlook Web App.  This is useful for internal Outlook Web App access as it simplifies the logon process for domain users (they don’t need to logon once to the computer and then a second time for OWA).  However Integrated Authentication is not suitable for remote access by people using non-domain member computers, or people who are connecting via proxy servers.

Basic Authentication – this uses the HTTP protocol to send the logon credentials to the server.  Because the credentials are sent “in the clear” the use of SSL is highly recommended for securing them.  Also, because Basic Authentication credentials can be cached in web browsers it is recommended to use an additional authentication factor (eg a one-time password from a token) to prevent unauthorized access from public kiosk computers using the cached credentials.

Logon dialog box for Outlook Web App using Basic Authentication

Digest Authentication – this method solves the problem with Basic Authentication where credentials are sent “in the clear” by sending a hashed password instead.  Digest Authentication also works through a proxy server unlike Integrated Authentication.  However Digest Authentication does have some other configuration requirements, such as the use of reversible encryption for password storage in Active Directory.  These may make it an undesirable option for many organiztions.

Forms-Based Authentication – this method uses a sign-in webpage on the server to collect logon credentials.  as with Basic Authentication the use of SSL with Forms-Based Authentication is highly recommended to protect the user credentials.

The Exchange Server 2010 OWA Logon Page

Forms-Based Authentication has three additional configuration options for how the user credentials are submitted.

  • Domain\Username – users enter their credentials in the format Domain\Username, using either the NETBIOS or FQDN for the domain name.
  • User Principal Name (UPN) – if this option is chosen only users who have a UPN specified that matches their email address will be able to logon to Outlook Web App.
  • [PS] C:\>Get-Mailbox "alan reid" | fl name, userprincipalname, primarysmtpaddress
    
    Name               : Alan.Reid
    UserPrincipalName  : Alan.Reid@exchangeserverpro.local
    PrimarySmtpAddress : Alan.Reid@exchangeserverpro.local
  • Username Only – with this option the Exchange administrator specifies a default domain for OWA logons, and users in that domain can logon with username only.  Users in other domains must still use Domain\Username.

Configuring Outlook Web App for Integrated Authentication

In this example the Exchange Server 2010 OWA virtual directory is being configured for Integrated Authentication.

Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

Configuring an Exchange Server 2010 OWA Virtual Directory

Select the Authentication tab.  Choose Use one or more Standard Authentication Methods and tick the Integrated Windows Authentication box.

Enabling Integrated Authentication for Exchange Server 2010 OWA

Click OK to apply the change.

To perform the same configuration using the Exchange Management Shell run this command.

[PS] C:\>Set-OwaVirtualDirectory "EX3\owa (Default Web Site)" -BasicAuthentication $false -WindowsAuthentication $true -DigestAuthentication $false

You will notice that three settings were specified in the command. This is because Basic, Integrated, and Digest Authentication can be enabled concurrently so that the OWA virtual directory supports multiple authentication methods. Because of this you should explicitly configure the authentication methods the way that you intend them to be set, rather than modifying only a single authentication method.

Configuring Outlook Web App for Forms-Based Authentication

In this example the Exchange Server 2010 OWA virtual directory is being configured for Forms-Based Authentication.

Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

Configuring an Exchange Server 2010 OWA Virtual Directory

Select the Authentication tab.  Choose Use forms-based authentication and then choose a logon format, in this example User name only.

Configuring Forms-Based Authentication for Exchange Server 2010 OWA

Click OK to apply the change.

To perform the same configuration using the Exchange Management Shell run the following command.

[PS] C:\>Set-OwaVirtualDirectory "EX3\owa (Default Web Site)" -FormsAuthentication $true -LogonFormat UserName -DefaultDomain exchangeserverpro.local

Other Steps When Changing Outlook Web App Authentication Settings

You will notice as you modify OWA virtual directory authentication settings that two additional steps are usually required:

  • Resetting IIS – this is required any time you switch to or from Forms-Based Authentication.  From a command prompt window run the following command:
  • iisreset /noforce
  • Modifying the ECP virtual directory – ECP stands for Exchange Control Panel and is the self-service web portal for end users to make changes to their mailbox, distribution lists they manage, and some other items.  The authentication method for this virtual directory should be configured to match the OWA virtual directory.
About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Mohamed Abdel hamid says:

    بسم الله الرحمن الرحيم
    thank you very much for your Tutorial
    i want ask about the best way to Outlook Web App Authentication

    i select Integrated Authentication and Digest Authentication this good and this need any more configure

    thank you again
    الله الموفق

    • Hi Mohamed, what is “best” depends on your environment and how people are accessing OWA.

      Integrated Authentication is fine if you’re happy with how that works.

  2. Hi,

    I am new for exchange 2010 and i have enabled form based authantication and i am using Exchange SSL.
    What changes i need to made in IIS and exchage so that users will be able to access it from outside.

    Thanks in advance
    Chanchal Sharma

    • Dear Chanchal,

      Yes both is possible and run well. You must change the UPN of the user with his email address.

      Then the user can logon with his SAM- or UPN account settings without the domain.

      Regards
      Uwe

  3. Hi Paul,
    Can I use all the three ways(Domain\User, UPN, User Only) to logon OWA at the same time? I mean whatever way I choose can logon the OWA at anytime.

    Thanks.

    • Hi Jack,

      no it didn`t work because you must deside ether domain\user or only user (see above pic). The UPN is confured in ADUG at user level.

      Regards
      Uwe

  4. Carol Ostos says:

    Having a bit of an issue with Outlook Web App. Moved some mailboxes from E2K3 to E2K10 and created new mailboxes just to see if the problem was to do with the mailbox move but seems that the problem persists regardless.

    Logon, Logoff, Error aspx pages load with no problems but seems like the browser cannot parse dll’s
    All these files are located under the auth folder.

    I have found some links that talk about adding preCondition= “bitness62″ to the isapifilters (Exchange OWA Cookie Authentication ISAPI Filter and Exchange ActiveSync ISAPI Filter) found on the applicationHost file on SystemRoot\inetsrv\config.

    I have performed Test-OwaConnectivity checks and I get the following

    VERBOSE: [00:03:38.762 GMT] Test-OwaConnectivity : Resolved current organization: .
    VERBOSE: [00:03:38.762 GMT] Test-OwaConnectivity : Adding a test instance for URL
    ‘https://casserverfqdn/’ specified with the -URL argument.
    VERBOSE: [00:03:39.778 GMT] Test-OwaConnectivity : [10:03:38.762] : The TrustAnySSLCertificate flag was specified, so
    any certificate will be trusted.
    VERBOSE: [00:03:39.778 GMT] Test-OwaConnectivity : [10:03:39.215] : Sending the HTTP GET logon request without
    credentials for authentication type verification.
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The HTTP request succeeded with result code 200
    (OK).
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The sign-in page is from Outlook Web App, not ISA
    Server.
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The server reported that it supports authentication
    method FBA.
    VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : This virtual directory URL type is External or
    Unknown, so the authentication type won’t be checked.
    VERBOSE: [00:03:41.090 GMT] Test-OwaConnectivity : [10:03:41.028] : Trying to sign in with method ‘Fba’.
    VERBOSE: [00:03:41.090 GMT] Test-OwaConnectivity : [10:03:41.028] : Sending HTTP request for logon page
    ‘https://casserverfqdn/owa/auth/owaauth.dll’.
    WARNING: [10:04:03.544] : The HTTP logon request returned the non-OK result code 302 (Found).

    Confirm
    Continue with this operation?
    [Y] Yes [A] Yes to All [H] Halt Command [?] Help (default is “Y”): A
    WARNING: [10:04:03.544] : The test encountered an error while signing in to Outlook Web App.
    HTTP code: 302
    WARNING: [10:04:03.544] : Test failed for URL ‘https://casserverfqdn/’.

    RunspaceId : 1a842b77-bbac-459d-a629-86e1fcbb942a
    AuthenticationMethod : FBA
    MailboxServer :
    LocalSite : SYDNEY
    SecureAccess : True
    VirtualDirectoryName :
    Url : https://casserverfqdn/
    UrlType : Unknown
    Port : 0
    ConnectionType : Plaintext
    ClientAccessServerShortName :
    LocalSiteShortName : SYDNEY
    ClientAccessServer :
    Scenario : Logon
    ScenarioDescription : Sign in to Outlook Web App and verify the response page.
    PerformanceCounterName : Logon Latency
    Result : Failure
    Error : The test encountered an error while signing in to Outlook Web App.
    HTTP code: 302
    UserName : xxxxxxxxx
    StartTime : 4/13/2012 10:03:40 AM
    Latency : -00:00:00.0010000
    EventType : Error
    LatencyInMillisecondsString :
    Identity :
    IsValid : True

    VERBOSE: [00:04:08.919 GMT] Test-OwaConnectivity : Admin Audit Log: Entered Handler:OnComplete.
    VERBOSE: [00:04:08.919 GMT] Test-OwaConnectivity : Ending processing &

    Any clues? I did not want to recreate the owa and ecp virtual directories.

    Something else to mention, I tried to run the script called UpdateCas.ps1 found on the bin directory with the hope to update any missing or corrupted files but no joy!

    Thanks!!!

    • Carol Ostos says:

      Just an update, after my post, I have tried the following workarounds:

      a) Resetting the virtual directories for both owa and ecp. I have no issues performing these tasks, Both directories were removed and created again, I change the settings to include our externalURL but still no luck.

      b) Added preCondition= “bitness64″ to both isapifilters (Exchange OWA Cookie Authentication ISAPI Filter and Exchange ActiveSync ISAPI Filter) found on the applicationHost file on SystemRoot\inetsrv\config. Reset IIS and tried both ecp and owa but still no luck

      c) Checked Exchange FBA service was running.

      I’m out of options, what can I do? Thanks!!!!

  5. sidneyleusson says:

    Hello, I have now set up user authentication for basic authentication, and I want to change to authentication by form, the steps do you say in your tutorial, but it does not work, it can be, I have exchange 2010. I have to do something else in the IIS?

  6. This only seems to work for the logon page, not for the settings and options within OWA. pretty pointless IMHO.

  7. Erm, I seem to have forgotten to run the first cmdlet here. will check again… Ta

  8. all fixed now. Thanks heaps.

  9. Our current OWA access is to Forms Based Authentication.

    A requirement now is that if I am connected to the company network, I shouldn’t need to enter credentials, it should automatically do a Single-Sign-On to OWA. If I’m not on the network, I should be prompted for credentials, as is working now.

    Questions: Can OWA be configured with Windows Integrated Autrhentication for (internal ot network connected) users and also have other authentication (I’m thinking Digest, for security) so accessing OWA will prompt for credentails for external or non-network connected users?

    • Carol Ostos says:

      We were using FBA for internal and planned to use it for external as well, we are now setting up Outlook Web App externally with TMG + RSA so we have changed the internal authentication method to Basic and Windows Integrated, so internally we dont need credentials when using IE, you do need to provide credentials if using other browser unless you say save my credentials, which wont be ideal if your password get cached you might have failed login attempts. So for external you can def have FBA. Good luck with your setup cause we are still unable to get RSA working ;(

  10. I should have known … the best info i found regarding authentication issues was right here, where i already subscribed to :-)

    Thanks Paul

  11. I have everything setup according to this article. I was prompted to also change ECP and restart IIS which I did but we are still not getting Integrated Windows Authentication to work. It is still prompting for the input of username/password. Any ideas?

    • If you’re using Integrated auth and you expect it to automatically login without prompting for credentials you need to make sure that the OWA URL is included in one of the Internet Explorer security zones where automatic login is enabled (usually either Trusted or Intranet zones will do it).

      • We have that URL setup in the Trusted Zone in one of our group policies and yet people are still being prompted for login credentials.

        • hi I am running into the same issue where “integrated” security is selected but users are still getting prompt. how did you resolve the prompt issue?

  12. We too have the same issue as brodiemac…

  13. Hi,

    i need to know how to configure integrated windows authentication for internal users and FBA for external users.

    thanks alot

  14. Martin Berard says:

    We also would like if any succeeded in setting up en environement with integrated auth for internal use and form based for external users.

    Is it possible to install 2x OWA on the same server with different authentication settings and using virtual host such as: mail.mycompany.local vs mail.mycompany.com?

    Martin

  15. Varun Sharma says:

    We installed a new Exchange server 2010 , setup is full loaded but when we open a OWA and enter the user name so it will not redirect to me webmail it shown the default owa webpage again.Kindly Help me out to resolve the issue even we already try with domian\user name & user name but it will not re-direct to me webmail.

    Kindly reply with solution.

  16. Hi Paul,

    I have researched over the internet if it is possible.

    is it possible to restrict some users from accessing OWA on the public Internet? but have them access only on internal Network? If we are to disable OWA’s external access, all users will be affected, we only want to restrict some users but not all.

    Is it possible?

    Thanks in advance.

  17. Marjolein says:

    Hi,

    I have set up 2 OWA sites, one with Windows Integrated Authentication and one with Forms Based. We are running the WIA site under a service account but it seems Exchange can’t handle that. Kerberos works fine (confirmed in info screen) but attachments can’t be previewed because the temporary folder that is used to store the attachments during viewing is set to allow access to the system account only. Have you ever come across this issue and if so, do you happen to know how to solve it?

    Kind regards,
    Marjolein

    • Why are you running the other site under a service account?

      • Marjolein says:

        Hi Paul,

        Here’s my reasoning:
        - an SPN needs to be set on the A-record at which the site is addressed
        - for linux machines to work well with kerberos, a corresponding PTR record needs to exist as well
        - the Exchange hosts reside in a HLB configuration
        * conclusion: the webmail address needs it’s own A- and PTR record set to an address assoicated with the HLB and the SPN needs to be set at that record.
        Am I missing something?

  18. Brian Rota says:

    Hello
    In Exchange 2003 if you have integrated configured and you logged on a PC without a mailbox you are prompted to fallback to basic and you can enter a username and password.
    In 2010 now these users get notified that the mailbox does not exist with no option to log in again.
    I have some generic computers that are logged on with accounts that do not have mailboxes. I know I can take the url out of the intranetzone but the customer is not sure of where all of the machines so a GPO may be tough.
    Is there a way to make 2010 to just reprompt for authentication if the logon account does not have a mail box like 2003 did?

    Thank you

  19. Hi Paul,

    Is there a way to stop the login prompts when users are logging in from an untrusted domain?

    Users are logging in from as so:

    outlookdomain.local
    exchangedomain.global

    Autodiscover service is being found, but prompts for the password. Once accounts are setup the users are prompted for login details every time they open outlook.

    I have been able to resolve some users issues by using credentials manger in windows 7…but half the people on our network are still on XP/outlook 2007 (dont ask… :/ this is the environment i inherited…)

    If you could help me out here i would kiss you…or at the very least buy you a pint :)

    Kind regards,
    Aidan.

  20. we have Exchange 2010 setup, how do i configure different passwords for domain user account and OWA.
    when ever i change the user password in AD, the same is being applied to OWA, which i don’t want. user should have two different passwords. Now i am using Integrated Authentication. please help.

  21. Hi Paul,

    interesting reading.Authentication method used in IIS and Exchange/Outook is always confusing,so never sure what to set.
    I have a issue that every time i start outlook at Internal network,it always ask me for credential.If i close outlook and start again it doesn’t ask for credential.This only happens when i start my computer in the morning.
    Is this problem iisauthentication error (since its set to Basic),or do you think this problem is elsewhere?
    Weird part is that not everyone in the office is having this problem.Running multiple version of win 7,win8 and Outlook 2010/2013.
    Have seen this problem occurred for the others, 2 weeks before password expires and user have to renew their password.After they renew their password its fine.
    Me i have renewed password without any help.

    thanks!

  22. Please help

    cannot download or view attachment from OWA (using exchange server 2010) comment bad request – 400

  23. Hi.
    I am still having a problem where outlook suddenly prompts users for Passwords.
    Noticed that at that particular moment it is trying to connect via HTTP (Webmail server). what authentication settings should i use so that outlook on the LAN will connect automatically (if it tries to connect to my Webmail server rather than the local CAS) and users externally will be prompted for credentials when trying to connect to outlook anywhere.
    Although i have removed both tick from the check boxes within the outlook exchange proxy settings as below

    On fast networks, connect using HTTP first, then connect using TCP/IP
    On slow networks, connect using HTTP first, then connect using TCP/IP

    But outlook on the LAN still attempts to fail-over to connecting to the Webmail server and prompting for a Password.

    I am also using basic authentication in my Exchange proxy settings

    Please assist / advise

    • My guess is your OWA namespace (URL) and Outlook Anywhere namespace are the same.

      I think what you’re seeing is Outlook clients failing to make a direct TCP/IP connection and attempting an Outlook Anywhere connection.

      With Outlook Anywhere configured for Basic authentication it is quite normal to see an authentication prompt appear.

      • thank you for the reply.

        MY OWA name space and Outlook anywhere name space are correct.

        You are exactly right with the clients trying to use outlook anywhere when they may detect a slow or no LAN connectivity.
        But how do i get PC’s on the LAN to seamlessly make that connection without prompting for a password.

        My OWA settings on my 2 CAS servers on the LAN are using Windows Authentication. So in theory they should not prompt for a password on the LAN…. ????

        And my actual OWA server is configured for Form Based Authentication so that users externally are prompted for a Password.

  24. With IIS advanced logging enabled, i can track successful OWA attempts with the client IP address.

    However with failed OWA attempts it throws an information in the security log of event viewer (4625 ID), but here it does not display the source ip or the client IP.

    What do i need to do to allow tracking of bad attempts of OWA logon in IIS advanced logging ?

    Thank you Sir

  25. Hi,Paul!
    I want to let some users wont dont join domain which Authentication should i use?

    Many thanks!

  26. Steve Hodges says:

    Having problems with OWA – log into any website, then open and log into OWA, then logout of OWA; all your other websites are also logged out. Please help!

    • I’m not sure what you mean.

      • Steve Hodges says:

        When you go to a website, any site, and log in; bank, insurance, irs, any websites you have logons for, I even tried with multiple sites at the same time. with these sites open and logged into, you open another IE tab or window, connect to the OWA server and login, check your e-mail, and logout of OWA; switch to your other windows and / or tabs and you find you are magically logged out of all your sites. I have confermed this with multiple websites on multiple computers on multiple domains and with multiple OWA servers.

      • Steve Hodges says:

        Paul,
        Looks like it is related to the shared sessions (tabbed browsing) in Internet Explorer because if I use a new IE session for my OWA, logging off doesn’t affect my other websites. I still think OWA is doing something different because logging off my bank or insurance sites don’t log me off of everything else. Please let me know if you’ve found a solution; perhaps a setting on the Exchange server or in IE.

        Thanks,
        Steve

  27. I have set up 2 OWA sites, one with Windows Integrated Authentication and one with Forms Based. We are running the WIA site under a service account but it seems Exchange can’t handle that. Kerberos works fine (confirmed in info screen) but attachments can’t be previewed because the temporary folder that is used to store the attachments during viewing is set to allow access to the system account only. Have you ever come across this issue and if so, do you happen to know how to solve it?

    • Hi Kayla,

      We encountered the same problem when we were using a service account. What you can do is use alternate service credentials in Exchange 2010. That way the IIS service can run with the system account while everything else works with the service account (see my reply in this thread on April 17, 2013 at 10:24 pm).

      Hope this helps,
      Marjolein

  28. Hi I am using exchange 2010 from my firewall I have forwarded port 443 https tragic to my exchange server to be more secure we want user first authenticate (Reverse proxy) and then Owa page open for authentication as Tmg is endof life what solution is available ?

  29. Paul – the problem I am running into is that i am going to create generic users because our staff tends to play musical chairs way too much, which causes my support to setup multiple profiles in outlook. The plan was to use a generic login and then have them go to owa for their email. major problem with that because we have multiple web apps that we have to log into and if they logout of owa it kills authentication cache, which kills my other apps – if you are running one instance of IE. two instances it’s fine but I might as well talk to a wall explaining this to my generic users. firefox works but our web apps won’t run on FF because the apps were written crappy. Do I create an internal site using basic authentication and leave the external forms based. I have smartphones so I do not want to screw that up but pretty sure activesync takes care of that or is it tied to it somehow. Thanks

    • I’m baffled by your scenario. I understand you’re the one dealing with it directly so it probably makes sense to you.

      A user can login to a domain workstation with their account and Outlook will autodiscover and autoconfig their profile settings for them. What need is there for support to set up new profiles every time a user moves?

      Generic logins are a bad idea from a security perspective and pointless if they are just going to login to their own mailbox afterwards anyway (see comment above).

      I have no idea why logging out of OWA logs out your other apps. It has never happened to me so perhaps there is something specific about your situation that Microsoft Support could assist you with.

      • Steve Hodges says:

        Paul – The OWA issue of logging you out of other web apps is the same thing I asked you about back on 2/18; seems to be an IE issue with shared sessions, when you open OWA in another tab and login, logging out of OWA loges you out of everything in that session but if you launce a new instance of IE to log into OWA everything works fine. I have tried this with multiple web sites and OWAs.

  30. Deanne Barton says:

    Hi Paul

    We are using Forms-based authentication with User name only, therefore users have to use their domain log in credentials. As we set up users for EAS as well is it possible to use both Domain or UPN or can it only be one or the other?

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.