locked
UAG 2010 SP1 SSO Removed support for OWA 2010 FBA ( Form Base authentication) in UAG2010 Portal RRS feed

  • Question

  • Hi All

    Why did MS Remove Support from UAG2010 for SSO to OWA 2010 ussing form Base  authentication with  UAG 2010 SP1

    We use  Form Base for our  OWA 2010 as it' very secure ,  and  we doing SSO from UGA2010 Portal to OWA 2010 .

    IS there any work arounds  for this ???

    Thank  Ray

     

     

    Friday, January 21, 2011 4:40 PM

Answers

  • Hi Ray,

      Please take a look at the following articles from the Exchange team, they describe how your CAS(s) can be configured to have a FBA site and a 401 enabled site on the same CAS.  This is our (UAG Product Group's) recomendation if you need to supply a FBA OWA login page to your internal user base.  The articles are: http://msexchangeteam.com/archive/2011/01/17/457664.aspx and http://msexchangeteam.com/archive/2008/01/07/447828.aspx for both Exchange 2010 and Exchange 2007.

      Regarding FormsAuth vs 401 auth from a security standpoint, the security aspect of 401 auth is only when HTTP (non SSL) is used as the transport mechanisim for basic authentication.  401 auth can done over HTTPS (SSL) and that basic auth conversation is as secure as the forms auth since the user/password is being send inside the SSL stream.  401 auth also allows you to use NTLM or Kerberos auth both of which have additional security implmented in the authenticaiton protocol.  Forms authentication can not not provide any protocol security enhancements as all the data in the HTTP Post is sent in cleartext or via SSL from the client to the server it's posting that data to.

    Regards,
    Dan Herzog
    Microsoft CSS IAG/UAG Support
    • Marked as answer by djh-msft Friday, January 28, 2011 9:53 PM
    Friday, January 28, 2011 9:53 PM

All replies

  • It has never had been supported, they have just now enforced that unsupported scenario: http://blog.msedge.org.uk/2011/01/using-exchange-client-access-server-cas.html

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, January 21, 2011 5:10 PM
  • Hi Ray,

      Please take a look at the following articles from the Exchange team, they describe how your CAS(s) can be configured to have a FBA site and a 401 enabled site on the same CAS.  This is our (UAG Product Group's) recomendation if you need to supply a FBA OWA login page to your internal user base.  The articles are: http://msexchangeteam.com/archive/2011/01/17/457664.aspx and http://msexchangeteam.com/archive/2008/01/07/447828.aspx for both Exchange 2010 and Exchange 2007.

      Regarding FormsAuth vs 401 auth from a security standpoint, the security aspect of 401 auth is only when HTTP (non SSL) is used as the transport mechanisim for basic authentication.  401 auth can done over HTTPS (SSL) and that basic auth conversation is as secure as the forms auth since the user/password is being send inside the SSL stream.  401 auth also allows you to use NTLM or Kerberos auth both of which have additional security implmented in the authenticaiton protocol.  Forms authentication can not not provide any protocol security enhancements as all the data in the HTTP Post is sent in cleartext or via SSL from the client to the server it's posting that data to.

    Regards,
    Dan Herzog
    Microsoft CSS IAG/UAG Support
    • Marked as answer by djh-msft Friday, January 28, 2011 9:53 PM
    Friday, January 28, 2011 9:53 PM