UAG Service Pack 1 removes the ability of UAG to delegate Form based credentials into all versions of OWA. This was done as part of the product design as there were many cases and scenarios in which the formlogin with OWA was not able to meet the requirements of login into OWA. Because of the extensive design change that would be required to implement this functionality the product group determined that removing the formlogin functionality with OWA was the only available solution. The recommendation to allow automatic credential delegation with OWA is to use Basic authentication to the CAS.
The CAS can be configured using the following instructions so that both Basic and FormLogin will be available:
http://blogs.technet.com/b/exchange/archive/2011/01/17/3411832.aspx discusses how to make this for Exchange 2010
http://blogs.technet.com/b/exchange/archive/2008/01/07/3404614.aspx discusses how to make this change on Exchange 2007
Therefore - the following content is presented "as is" and is not considered a supported configuration by the product team.
Microsoft has not officially supported publishing OWA when FBA (Forms Based Authentication) was enabled. Up until SP1 in UAG, it worked. With SP1, it has stopped working and to be honest, it should not work as forms based authentication is not as secure as Kerberos. Step 7 in the application wizard no longer asks for 401 or forms authentication, as seen below:
For those customers who still need this and have deployed SP1, this article walks you through getting this functionality back.
Step 1. Install UAG and Service Pack 1.
Step 2. Run the Add Application Wizard, select Web è Other Web Application as shown below:
Step 3. At step 2 in the Application Type, type either ExchangePub2010 or ExchangePub2007 (if using Exchange 2007) as shown below:
Step 4. At Step 5, add the following paths (as shown below). You will have to complete the wizard and edit the application to add all the needed paths.
Step 5. At Step6, you will select your authenticaiton source and the "HTML Form" authentication as shown below:
Step 6. At step 7, you will want to add the Icon URL as: images/AppIcons/OWA2010.gif as shown below:
Step 7. Complete the wizard, add the missing URLs from Step4 and activate the configuration. Now when you access the OWA site, you should briefly see the forms login, and UAG will fill in this form and submit it.
Kevin Saye, Security Technical Specialist, Microsoft
Jason Jones (Forefront MVP), Principal Security Consultant, Silversands Limited
While I agree in principle with your comment about kerberos being more secure, how else would one support cross-browser, cross-platform situations?