locked
OWA authentication RRS feed

  • Question

  • Outside of the office I get put in my OWA address and get prompt to put credentials in for authentication. However, it populates with my domain name and I can never get in with just username and password or domain\username and password. What do I have wrong in authentication for IIS7 for OWA?
    Thursday, January 14, 2010 3:09 PM

Answers

  • There is a security issue if you have Basic enabled, but do not require SSL.  In Basic Auth, the credentials are passed to the server in a Base-64 format, which is trivial to decode.  With SSL, an attacker can not get to the Base-64 encoded values because they are now encrypted.  Since you are planning to use SSL, there is not problem, but it is something you will need to be aware of.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    • Marked as answer by tvppd Wednesday, January 20, 2010 2:11 PM
    Tuesday, January 19, 2010 5:00 PM

All replies

  • If you have only Integrated Authentication enabled, then you will always need to supply a domain name.  If you have forms-based authentication enabled, you should be able to specify what credentials are required in Exchange Management Console.
    Outlook Web Access For PDA , OWA For WAP
    http://www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, January 14, 2010 3:13 PM
  • In IIS7 had Windows Authentication and Basic Authentication enabled. Everything I read has said set authentication for OWA in IIS7 vs. Exchange Management Console. I tried to set authentication to "Username Only" under "Use forms-based authentication" in Exchange Management Console but defaults to domain\username. After doing that when I go to IIS7 all authentication is disabled. If I get prompt out our office for credentials, that tells me I am reaching exchange server, just authentication is setup wrong some how.
    Thursday, January 14, 2010 3:37 PM
  • Can you provide a link to a document that says that OWA authentication should be configured in IIS when you have IIS7?  Enabling Integrated Auth in IIS when FBA is enabled in Exchange seems like a strange combination, since FBA requires Basic only.  If you enable Integrated, I would expect that you no longer see the FBA page, but rather the usual small grey logon prompt.  If the grey logon prompt is what you are in fact seeing, then you will always need to supply the domain, since Integrated Auth requires it.  It will also negate any settings you configure for FBA, ("Username only", etc.) since FBA will no longer be active.

    What do you see?  The FBA page, or the logon prompt?


    Outlook Web Access For PDA , OWA For WAP
    http://www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, January 14, 2010 3:50 PM
  • In Exchange Management Console have: "Use more or one standard authentication methods" with "Integrated Authentication" checked. In IIS7 have Windows Authentication and Basic Authentication enabled. When try external OWA website out of office get prompt for logon prompt. I put in username and password and it automatically populates with my domain name but with domainname\username and password not able to access web page.
    Thursday, January 14, 2010 4:01 PM
  • It would help to know which authentication method your browser is trying to use.  If you have a non-MS browser available, then try that, since it won't be able to use Integrated Auth.  It's also possible to go into your IE options, and tell it not to use Integrated Auth.

    If you are seeing the logon prompt that has three input boxes, then it is definitely using Integrated Auth, and you have to supply the domain in the domain input box, and the username only in the username input box.

    If you are seeing the logon prompt that has two input boxes, then you can't really be sure if it's using Basic or Integrated.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, January 14, 2010 4:06 PM
  • I tried using both IE7 and Firefox and got same prompt for login. I get logon prompt for only two input boxes, just username and password.
    Thursday, January 14, 2010 4:17 PM
  • Does it work in firefox if you only type username?
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, January 14, 2010 4:20 PM
  • No, same response as IE populates domain name and domain name\username and password do not work.
    Thursday, January 14, 2010 4:30 PM
  • Do you want to get forms-based authentication working?  Or do you want a combination of integrated auth and/or normal basic auth?


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Thursday, January 14, 2010 4:46 PM
  • What would be best for external use with high security and ease of use?
    Thursday, January 14, 2010 4:57 PM
  • FBA is the best (IMHO) since it is a cookie-based authentication scheme, and the logoff (which clears the cookies) is more positive than Basic Auth alone, which doesn't clear the credentials until you close the browser (which means that someone can possibly just use the back button to get into a mailbox that someone thinks has been logged out).  But you can only use FBA with SSL, because without it the credentials typed into the FBA form are sent to the server unencrypted.  Integrated Auth is good, because it means that users already logged into their workstations can go straight in.  But I don't think this applies in your case, since you say you are always seeing the login prompt.  Unfortunately, FBA and Integrated Auth is not a supported combination.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, January 15, 2010 1:17 PM
  • Well last night I went home with the above credentials marked "Windows Authentication" and "Basic" enabled. I was able to login via Firefox but not IE. What causes this situation? Also, what is FBA?
    Friday, January 15, 2010 1:59 PM
  • Sorry - FBA is just Forms-Based Authentication.  I assume that you have disabled this, and are not seeing the graphical logon page, but some kind of grey popup logon prompt?

    Hard to say what's going wrong in IE, but since IE will try to use Integrated Auth (Firefox is unable to use Integrated), it is not a surprise that it is behaving differently.  If IE asks you to logon several times before failing, then there is a problem with the credentials.  If it only asks you to login once before failing, then the credentials are correct, but there is a problem with the permissions.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, January 15, 2010 2:09 PM
  • Yes, I just get a light blue/grey logon prompt. If I try to put the same credentials in IE logon prompt as Firefox it populates with our domain name\username and then I try it with that and password but it just continues to fail in IE. So there is a problem with permissions and if so where?
    Friday, January 15, 2010 2:13 PM
  • In IE, do you see the logon prompt that has three inputs (user, password, and domain) or the one with only two (user, and password).

    Does it ask you for your credentials several times before it fails?


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, January 15, 2010 2:18 PM
  • In IE it only has two inputs (username and password). Yes, I first just put in username and password and try; it fails and then auto populates to domain\username and I try again with that and password but it continues to fail. I can try numerous times.
    Friday, January 15, 2010 2:25 PM
  • That sounds like it thinks your username and password are wrong.  Which seems odd.  But have you tried logging in with your UPN username@domain.com ?


    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, January 15, 2010 2:58 PM
  • If I use UPN username@domain.com in IE get page: 

    Server Error

    401- Unauthorized: Access is denied due to invalid credentials.

    You do not have permission to view this directory or page using the credentials that you supplied.

    Firefox work fine with just username and password.
    Friday, January 15, 2010 3:43 PM
  • Is this on server 2008 (I assume so, since you mention IIS7)?  Did you install the Integrated Auth subcomponent of IIS?
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, January 15, 2010 3:46 PM
  • Yes, it is installed. Using 2008 and IIS7.
    Friday, January 15, 2010 3:56 PM
  • Have a look at the IIS logs for the unsuccessful requests from IE.  If you find them, can you paste them for us?  If a username is logged, then IIS has accepted the credentials, but denied you access to something.  If no username is logged, then it did not even accept the credentials - see if you can find entries in the server's Security Event Log.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Friday, January 15, 2010 4:00 PM
  • Did some testing last night. In IIS7 if I have just "basic authentication" set then I can get into OWA using IE. However, if I have "basic authentication and windows authentication" I cannot access OWA in IE. Like I said before I can get in using Firefox and Chrome.

    If in exchange management console if I set the authentication to "use forms-based authentication" and just "basic authentication" in IIS then I can also get in with IE.

    Want to make sure also when a user closes browser windows or logs off that they are prompted each time for login prompt for security.

    Any ideas greatly appreciated. I will try to possibly look at logs today.

    Thank you
    Tuesday, January 19, 2010 3:00 PM
  • It sounds like you ought to just leave Integrated Auth disabled.  If you want to use the FBA form, then this will officially only work if only Basic is enabled.  Trying to have the two enabled (FBA in Exchange and Integrated in IIS) may be the cause of your problems.  Also, since you want everyone to have to log in each time, this also means that you should leave Integrated Auth disabled, since having Integrated enabled means that users do not have to log in if they are already logged into the domain.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    Tuesday, January 19, 2010 3:40 PM
  • If I just have "Basic Authentication" enabled in IIS7 and nothing else and have just "Use one or more standard authentication methods" checked but nothing below in exchange management console, this will allow access for me access in IE but will this open any security issues? I still have SSL enabled and want their to be a login each time browser is closed or user logs off in OWA.

    Thanks!
    Tuesday, January 19, 2010 4:17 PM
  • There is a security issue if you have Basic enabled, but do not require SSL.  In Basic Auth, the credentials are passed to the server in a Base-64 format, which is trivial to decode.  With SSL, an attacker can not get to the Base-64 encoded values because they are now encrypted.  Since you are planning to use SSL, there is not problem, but it is something you will need to be aware of.
    Outlook Web Access For PDA , OWA For WAP
    www.owa-pda.com
    email a@t leederbyshire d.0.t c.0.m
    • Marked as answer by tvppd Wednesday, January 20, 2010 2:11 PM
    Tuesday, January 19, 2010 5:00 PM