Link to home
Start Free TrialLog in
Avatar of K B
K BFlag for United States of America

asked on

OWA virtual directory: Authentication Methods

When running get-owavirtualdirectory, Basic Fba Ntlm WindowsIntegrated are all listed. Is there a reason for this or am I missing something? I seem to recall that the FBA method cannot work simultaneously with the other authentication methods. Are those simply the items that are “checked but greyed-out”? Do they really come into play if, for example, one were to choose FBA?  I suppose Basic Authentication is needed with FBA but what about the others like WIA?

Also, is there a way to use a single OWA virtual directory and have automatic login internally (user on domain-joined workstation is just logged directly in) while maintaining FBA externally?
Avatar of Amit
Amit
Flag of India image

You have several question in one query. Did you check MS KB for your answers? Also you didn't mentioned Exchange version. Check this KB:
https://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx
FBA is disabled when IWA is enabled, so FBA wouldn't work in your situation. Domain systems would use IWA and non-domain systems would fail that attempt and fall back to Basic authentication. What you're seeing isn't the default setting, if that's what you're wondering. Basic Authentication isn't needed for FBA. Basic Auth is basically just clear text authentication (Encrypted through HTTPS, though). WIA uses NTLMv2, so the password exchange data is secured through that method (secured being a relative term...the session for OWA is secured through HTTPS, so the less secure Hashing methods of NTLMv2 are mitigated by that).

As for External/Internal access using FBA for external only, that isn't possible with a single OWA site, unfortunately.
get-owavirtualdirectory, Basic Fba Ntlm WindowsIntegrated

Those auth methods are set as true at IIS level, not from Exchange level, you can check owa virtual directory authentication method from IIS manager on exchange server itself or get-owavirtualdirectory cmdlet would give you other auth method status

once you enabled form based auth, other methods would not be used anymore

What you are trying to achieve is not possible by default with single virtual directory, what you can do is to use reverse proxy solution to publish owa from internet (FBA) and use windows integrated auth from internal network, so both scenarios will work

Mahesh.
Avatar of K B

ASKER

What I am saying is if you freshly install.. thats what you see

Its not that way in the GUI (in Exchange)
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial