OWA form based authentication and activesync issue

Posted on 2011-04-18
Last Modified: 2012-05-11
dear sir,
we tried to enforce the OWA session time-out policy on Exchange 2003; therefore implemented the Form Based Authentication.
However, after implementing FBA, users who have mobil phones with ActiveSync. can no longer retrieve emails.
So, i read about the solution posted on MS support site:
this solution requires us to setup a front end virtual directory that does not have SSL for activesync connection.  My questions are -
1.  after implementing this soluton, does it mean that all communications between mobile devices and exchange server are not encrypted?
2.  if so, is there any solution for me to apply session restrictions on OWA and also apply SSL on all connections?


Question by:ATRIT
    LVL 31

    Expert Comment

    1.) no, your devices will still use SSL if you have that ticked on the ActiveSync VD. Exchange will be talking to the exchange-oma directory not your devices
    2.) see above

    Author Comment

    Modified posting,

    We are talking about Method2 in Microsoft article.
    it is the second VD instead of front-end VD because this is
    one Exchange server situation.

    We had SSL enabled for both OWA and ActiveSync. Everything was
    working fine before applying the Form-based Authentication (FBA).

    Actual SSL configuration:
    Default Web Site
         ExchWeb                                       v  SSL
         Microsoft-Server-ActiveSync      v  SSL
         Rpc                                                 v  SSL
         RpcWithCert                                 v  SSL

    After implementing FBA to enforce OWA time-out policy, ActiveSync
    is interrupted.

    It is said ActiveSync only connects with Exchange VD over port 80,
    not over 443. But how does this explain we have used SSL for ActiveSync
    for long time without any issue?

    How does FBA interrupt ActiveSync?
    LVL 31

    Accepted Solution

    On a single server the ActiveSync directory talks to the 'Exchange' one using Windows/Kereberos authentication and when you put FBA on it turns the 'Exchange' directory into Basic auth only.

    From the article you are posting:
    "When you configure forms-based authentication on the Exchange Server 2003, the authentication method for the Exchange virtual directory is set to Basic authentication, and the default Domain is set to the backslash character. The Microsoft-Server-ActiveSync virtual directory can only connect to the Exchange virtual directory by using Kerberos authentication.

    Author Closing Comment

    comments more or less help

    Featured Post

    Too many email signature changes to deal with?

    Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

    Join & Write a Comment

    Easy CSR creation in Exchange 2007,2010 and 2013
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now