none
Turning off SSL for Forms Based Authentication on Outlook Web App 2010

    Question

  • I want to run Forms Based Authentication for Outlook Web App over http not https. I have an Exchange 2010 SP1 CAS server that I did NOT configure for redirection using the directions in "Simplify the Outlook Web App URL" in the Exchange 2010 Help and I have also unchecked "Require SSL" in IIS on all virtual directories (the Default site was the only one checked after SP1 upgrade) and then I reset IIS. This didn't work so as a troubleshooting step I have have reset the Virtual Directory using the Exchange Console and reset iis again. No dice. I've even added a "SSLOffloaded" registry setting as recommended elsewhere.

    I still cannot get owa from redirecting me to https when forms based authentication is on. If I go to basic authentication or integrated, it's not an issue, http access to OWA works fine.

    It doesn't seem to be an IIS redirect setting that is causing this issue, it seems to be some part of the redir.aspx or logon.aspx code.

    The reason this is important to me is that almost all hardware load balancers recommend offloading ssl to their devices, and so this is what I'm trying to do: offload ssl encryption to a HLB but still use FBA. Has anyone done it?

    Thanks for anyone's help with this.

    Wednesday, January 5, 2011 7:01 AM

Answers

  • The artical is not right aleast for a F5 try to changing the 1 to a 0 and that disables the HTTPS redirect.

    Off-Loading to me is F5 port 443 to IIS port 80

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

    Under this registry key, create a new REG_DWORD key named “SSLOffloaded” and set the value for this key to “1

    • Marked as answer by sidhis Sunday, January 9, 2011 7:39 AM
    Friday, January 7, 2011 11:32 PM

All replies

  • Check this Article it may Help

     

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-configure-ssl-offloading-in-exchange-2010.aspx

     


    MCP, MCSE 2000 , MCSA 2000 ,MCSA 2003 , MCITP , MCTS , MCT
    Wednesday, January 5, 2011 7:23 AM
  • Thanks Mohamed. This was the wiki I was following. There is some discussion in the comments at the about the exact same question I have - how to enable http for FBA, and Henrik says its possible, but doesn't elaborate past that.
    Thursday, January 6, 2011 3:55 AM
  • The artical is not right aleast for a F5 try to changing the 1 to a 0 and that disables the HTTPS redirect.

    Off-Loading to me is F5 port 443 to IIS port 80

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

    Under this registry key, create a new REG_DWORD key named “SSLOffloaded” and set the value for this key to “1

    • Marked as answer by sidhis Sunday, January 9, 2011 7:39 AM
    Friday, January 7, 2011 11:32 PM
  • The article is correct. To enable SSL offloading for OWA in Exchange 2010 you set the value of the "SSLOffloaded" key to "1".  This is no different from how you did it with previous versions of Exchange. For instance, you can find the official TechNet guidance on how to do this in Exchange 2007 here:

    http://technet.microsoft.com/en-us/library/bb885060%28EXCHG.80%29.aspx

    When the LB solution has been configured properly this works fine with FBA-based authentication.

     


    Henrik Walther
    Saturday, January 8, 2011 10:44 AM
  • ISPAN,

    Thank you so much! You are right, changing the SSL "SSLOffloaded" DWORD registry key from 1 to 0 did indeed allow FBA to work over http and not https. I had almost given up! Hopefully this will help others that need to have OWA run over http with FBA turned on.

    I don't know what to tell you Henrik, but it doesn't seem to work the way it should!

    Ben 

    Sunday, January 9, 2011 7:39 AM
  • Sounds like you're configuring reverse SSL (aka SSL bridging) and not SSL offloading (aka SSL acceleration). When configuring reverse SSL you shouldn't add the SSL offloading key as you aren't offloading SSL.

     


    Henrik Walther
    Monday, January 10, 2011 4:26 PM
  • I know that's what it sounds like, but I'm really not. With the registry key set to "1" OWA's FBA redirects all http requests to https (ie punch in http://webmail.contoso.com and you get redirected to https://webmail.contoso.com/owa/auth/logon.aspx?blahblahblah)  When setting it to "0" it doesn't, and leaves it at http (http://webmail.contoso.com/owa/auth/logon.aspx?blahblahblah). Without the registry entry at all, it behaves just like when it is set to "1"

    I'd really suggest you try this out and I think you'll see!

    Tuesday, January 11, 2011 3:05 AM
  • So yes you will see an automatic redirect from http://CAS_server_or_LB/domain.com to https://CAS_server_or LB_FQDN/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2fCAS_server_or_LB.domain.com/%2fowa%2f but that's a cosmetic thing really.

    As mentioned if you enable SSL acceleration/offloading on the LB it should work fine. Personally, I've done this many times both in lab and some customer environments although I mostly configure reverse SSL/SSL bridging.

     

     


    Henrik Walther
    Wednesday, January 12, 2011 7:05 AM
  • Going to have to disagree again with you there. The https redirect is not cosmetic - you can't login to OWA via http if this isn't disabled while FBA is turned on. After the redirection I've mention, you can change the https to http in the url and it will work to hit the FBA login screen via http (likely due to ssl not being required on the virtual directory), but once you login, it redirects you back to https again.

    The redirection is done by a compiled module in the owa web application before logon.aspx is evaluated and sent to the browser. This module seems to be reading the SSLOffloaded registry setting incorrectly.

     

     

    Thursday, January 13, 2011 5:53 AM
  • Well you don't have to really...

    The important thing here is things works as expected (yes the "redirect" is expected) and that when a LB solution has SSL acceleration enabled and otherwise has been configured properly, you can access OWA via an HTTPS encrypted session when hitting "https://mail.domain.com/owa".

    Let me see if I can get you guys the detailed explanation of the "redirect" logic.

     


    Henrik Walther
    Thursday, January 13, 2011 6:34 AM
  • I have also had issues with F5 and SSL offloading.   If I have one OWA site on a server I need to set the value to "0"  If I add another OWA site, I need to set the value to "1".   I believe this is an issue with the OWA SSL Offloading logic.
    Tuesday, April 19, 2011 5:11 PM
  • I know that's what it sounds like, but I'm really not. With the registry key set to "1" OWA's FBA redirects all http requests to https (ie punch in http://webmail.contoso.com and you get redirected to https://webmail.contoso.com/owa/auth/logon.aspx?blahblahblah)  When setting it to "0" it doesn't, and leaves it at http (http://webmail.contoso.com/owa/auth/logon.aspx?blahblahblah). Without the registry entry at all, it behaves just like when it is set to "1"

    I'd really suggest you try this out and I think you'll see!


    I had the same experience. I thought this behavior was not what I wanted. However, it is what we want. When the user hitshttps://webmail.contoso.com/owa , there is going to be a redirect, for the FBA. The redirect is passed directly to the web browser. Keep in mind the user's original request is for an "https" web page. The new, redirected, web page request will be made against the load balancer. The load balancer will change the "https" to "http".

    So the user will request https://webmail.contoso.com/owa/auth/logon.aspx?blahblahblah from load balancer. The load balancer will ask forhttp://webmail.contoso.com/owa/auth/logon.aspx?blahblahblah ....therefore SSL offloading is working if you get the FBA.... we always want the end user to be redirected by owa to an encrypted page.

    It makes sense, I am kicking myself, spent so long troubleshooting this.

    Monday, August 8, 2011 3:33 PM