K B
asked on
OWA virtual directory: Authentication Methods
When running get-owavirtualdirectory, Basic Fba Ntlm WindowsIntegrated are all listed. Is there a reason for this or am I missing something? I seem to recall that the FBA method cannot work simultaneously with the other authentication methods. Are those simply the items that are “checked but greyed-out”? Do they really come into play if, for example, one were to choose FBA? I suppose Basic Authentication is needed with FBA but what about the others like WIA?
Also, is there a way to use a single OWA virtual directory and have automatic login internally (user on domain-joined workstation is just logged directly in) while maintaining FBA externally?
Also, is there a way to use a single OWA virtual directory and have automatic login internally (user on domain-joined workstation is just logged directly in) while maintaining FBA externally?
FBA is disabled when IWA is enabled, so FBA wouldn't work in your situation. Domain systems would use IWA and non-domain systems would fail that attempt and fall back to Basic authentication. What you're seeing isn't the default setting, if that's what you're wondering. Basic Authentication isn't needed for FBA. Basic Auth is basically just clear text authentication (Encrypted through HTTPS, though). WIA uses NTLMv2, so the password exchange data is secured through that method (secured being a relative term...the session for OWA is secured through HTTPS, so the less secure Hashing methods of NTLMv2 are mitigated by that).
As for External/Internal access using FBA for external only, that isn't possible with a single OWA site, unfortunately.
As for External/Internal access using FBA for external only, that isn't possible with a single OWA site, unfortunately.
get-owavirtualdirectory, Basic Fba Ntlm WindowsIntegrated
Those auth methods are set as true at IIS level, not from Exchange level, you can check owa virtual directory authentication method from IIS manager on exchange server itself or get-owavirtualdirectory cmdlet would give you other auth method status
once you enabled form based auth, other methods would not be used anymore
What you are trying to achieve is not possible by default with single virtual directory, what you can do is to use reverse proxy solution to publish owa from internet (FBA) and use windows integrated auth from internal network, so both scenarios will work
Mahesh.
ASKER
What I am saying is if you freshly install.. thats what you see
Its not that way in the GUI (in Exchange)
Its not that way in the GUI (in Exchange)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx