locked
Publish OWA keeping forms-based auth? RRS feed

  • Question

  • Hi,

    Here is the scenario:
    - Users on the internet access OWA via a TMG
      - I want to have TMG authenticate users from the internet
    - All the users on the intranet will connect directly to the exchange server

    Question:
    - Can I publish OWA, while keeping the "forms-based auth" on the Exchange Server (for the intranet users)?

    Saturday, February 20, 2010 11:07 PM

Answers

  • ricdgr,

    Well, that depends :-).. If you're doing integrated auth on CAS server and the URL is in the Local Intranet zone of the browser, you won't get a challenge prompt for your internal users.  On the TMG server via your web publishing rule you'd need to setup delegation using either Negotiate or Kerberos Constrained Delegation.. with the TMG server(s) delegated for HTTP for each CAS server.

    However, on the discussion of load-balancers, you'll need to provide more information. Depending on how your load balancers are configured and whether they're doing Layer 4 or 7 load-balancing influences the above behaviour and can break delegation.

    Regards,
    Mylo 

    Sunday, February 21, 2010 5:38 PM

All replies

  • ricdgr,

    You should enable FBA on the TMG server in this scenario and disable FBA on your Exchange CAS/FE server.

    Regards,
    Mylo
    Sunday, February 21, 2010 11:41 AM
  • There is no alternative to that?
    In that case, my internal users will see a browser auth popup instead of the forms based login.
    Not that it is a very critical issue, but it will look too unprofessional.
    The alternative I know is to make them go through the TMG, but in that case the TMG (standard) will become a bottleneck and a single point of failure.
    My Exchange servers are currently load balanced and setup with HA in mind.
    Sunday, February 21, 2010 3:09 PM
  • ricdgr,

    Well, that depends :-).. If you're doing integrated auth on CAS server and the URL is in the Local Intranet zone of the browser, you won't get a challenge prompt for your internal users.  On the TMG server via your web publishing rule you'd need to setup delegation using either Negotiate or Kerberos Constrained Delegation.. with the TMG server(s) delegated for HTTP for each CAS server.

    However, on the discussion of load-balancers, you'll need to provide more information. Depending on how your load balancers are configured and whether they're doing Layer 4 or 7 load-balancing influences the above behaviour and can break delegation.

    Regards,
    Mylo 

    Sunday, February 21, 2010 5:38 PM
  • Currently that is one of my options. Unfortunatelly some people here use Linux, so they have to manually configure trust to enable single sign on.
    Another option is to direct all OWA calls to the TMG (ex.: webmail.company.com), but keep all the other CAS functions on exchange.company.com.
    That way, only OWA will fail when TMG goes down, but people will still have a fallback to use exchange.company.com with that browser popup.

    I'm doing Layer 4 load balancing, so I guess it should work with kerberos or negotiate. Is that true?
    Tuesday, February 23, 2010 2:43 PM
  • ricdgr,

    Yes you should be ok with L4...

    Regards,
    Mylo
    Thursday, February 25, 2010 4:41 PM