MS Exchange Blog

Forms-based Authentication

Exchange 2003 has a snazzy new feature called Forms-based Authentication, which I'll refer to as FBA. FBA is the new logon security feature for Outlook Web Access (OWA) which is disabled by default in Exchange 2003.

Why use FBA?

There are several security benefits to running FBA:

1. If the session is inactive for a period of time, the session will expire. The only way to gain access again is to re-authenticate. More on this later.
2. Users can no longer click the Remember my password check box in Internet Explorer.
3. Like the session inactivity setting, if you log out, you really log out. The only way to gain access again is to re-authenticate. Previously in Exchange 2000, the user had to complete the logout session by closing the browser window.

Enabling FBA

Enabling FBA is a simple process performed in Exchange System Manager. First, you should note that you need SSL enabled on the target Exchange 2003 server. When you've done that:

1. Drill down to your server object in ESM.
2. Under the server object, expand the Protocols container.
3. Under the Protocols container, expand HTTP.
4. Bring up the properties of the Exchange Virtual Server.
5. Click the Settings tab. Here you will see the option to enable FBA.

Here's what you should see. Note that this option is greyed out on a cluster server because FBA isn't available on a cluster. You'll need a front-end server in this scenario.

You will also note an option for compression. I'll leave that subject for another article. I've recently enabled FBA in a front-end back-end scenario here at my office. Note that FBA only needs to be enabled on the front-end server in this scenario.

If you've done everything correctly, you should get the following new OWA logon screen. Note that one difference is the fact that your users will now need to enter domain\username when logging on, or they can use their UPN if they prefer. There are ways around the domain\username sequence by modifying the logon.asp page, but these changes will be lost when you perform upgrades or re-installations. I think I'm going to leave this as it is for now - it's not much for users to learn, after all.

A Choice of Experience

The first option on the FBA screen is for you to select your choice of client experience: Premium or Basic. The Premium client gives you the full new OWA interface, whereas the Basic client gives you a cut-down version with less features. As you might guess, the Basic client is somewhat faster due to it offering less features. Hopefully that may help those still using dial-up connections to their OWA mailbox. If you've never seen the basic client, here's a quick screen shot.

Tweaking Security Options

Also on the opening logon screen are two options surrounding the security of the session: Public or shared computer and Private computer. The Private computer option assumes you are accessing OWA from a trusted computer, such as a computer within your normal office, your home, or perhaps from a partner site where you trust the other workers! The Public or shared computer option is for those situations where you are accessing OWA from a non-trusted network, such as an Internet cafe or other public area.

The difference between the two options is how long the inactivity timeout will last. With the Public or shared computer option, the timeout is 15 minutes by default. With the Private computer option, the timeout is 24 hours by default. These values can be modified via the following registry keys:

HKLM\System\CurrentControlSet\Services\MSExchangeWEB\OWA\TrustedClientTimeout
HKLM\System\CurrentControlSet\Services\MSExchangeWEB\OWA\PublicClientTimeout

Both are DWORD values, and are set in minutes. For both, the minimum value is 1 and the maximum value is 43200, which translates to 30 days.

By the way, in case you're curious, I understand that the timeout will not kick in during long message composition!

What About ISA?

What if you are using ISA in your DMZ and you publish OWA?

When I enabled FBA on my front-end server, I had the following message pop up:

This message indicated that I could offload SSL to the ISA server, or so I thought. Great - no need for an SSL certificate on my front-end server. Wrong! It's my understanding that you have to have SSL enabled on both the ISA and the front-end server for FBA to work. I did try without SSL on the front-end, all to no avail.

I'm not saying that this is a bad thing. In fact, bridging SSL across the DMZ has to be a good thing as far as I can see. I just found the above message a little misleading. Or maybe it's just my interpretation, but it's one to watch for, anyway.

FBA is an extremely useful addition to OWA in Exchange 2003. It gets my vote!

Account Deleted on November 17, 2003 at 08:25 AM in Useful Info
« More Exchange 2003 Anti-spam News | Main | Group Policy Inventory Tool »

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8345191a569e200e550343bf18834

Listed below are links to weblogs that reference Forms-based Authentication:

» Customer feedback from KC on Exchange and Outlook
[Read More]

Tracked on Sep 9, 2004 9:08:40 PM

» Customer feedback from KC on Exchange and Outlook
[Read More]

Tracked on Sep 9, 2004 9:11:48 PM

» re: OWA 440 Authentication Timeout from Aimless Ramblings from a Blithering Lunatic . . .
[Read More]

Tracked on Apr 3, 2005 7:19:07 PM

» Form-based Authentication in Exchange or not... from JohanPersson.nu
[Read More]

Tracked on Aug 17, 2005 1:53:47 PM

» Exchange 2003 Event Resources... from Stewed Prunes...
I am a little late getting this posted! These are session resources for the Exchange 2003 events... [Read More]

Tracked on Aug 14, 2006 8:45:14 PM

Comments

Schau mal....

Posted by: Matthias at Nov 19, 2003 1:43:59 AM

I am tring to configure OWA on exchange 2003. I get the old login screen but it won't accept the username and password. I thought this would be set by the active directory but its not. Please help

Posted by: Jamie Seddon at Dec 16, 2003 5:56:58 AM

I am having somewhat of the same issue. I have recently migrated the last portion of our users from Exchange 5.5 (where OWA was functioning properly for them) to Exchange 2003. After migrating their mailboxes, they are no longer able to access OWA 2003. After typing in their domain/username & password, they receive a 404 Not Found Error. However, I migrated my primary mailbox, and 4 additional ones (which are on different SMTP domains) approximately 2 months ago, and I have no issues accessing the new OWA. Is this an issue where I simply need to wait on replication? It hasnt been eve 12 hours yet since I moved these users, but should it take that long? Any suggestions??

Posted by: David Fike at Jan 12, 2004 7:56:16 PM

When you say the additional mailboxes are on different SMTP domains, does that mean that your default recipient policy points to this domain? If so, that would explain why OWA doesn't work for other users, since they'll have different SMTP domain addresses. There's more configuration required to make this work. See:

http://hellomate.typepad.com/exchange/2003/07/owa_and_multipl.html

Posted by: Neil Hobson at Jan 13, 2004 9:27:33 AM

Forms-Based Authentication in OWA - 440 Timeout---HELP!! PLEASE!!

I need a lot of help!! I have configured Exchange 2003 on Server 2003. Everything works, HTTPS and HTTP. But when I enable Forms Based Authentication I get a "440 Login Timeout" And the page will not load. Please help. Thanks.

Posted by: Thiel at Jan 14, 2004 1:32:56 PM

I have ticked that box for Forms-based Authentication but when I go to my url I still get the standard windows login box appear. Why don't I see the new screen?

Posted by: Phil Bishop at Jan 15, 2004 3:26:44 AM

I take it you've got SSL configured? Also, is FBA set on your front-end server?

Posted by: Neil Hobson at Jan 15, 2004 3:33:25 AM

I'm not sure if SSL is configured or not!? We only have one server, with W3K and Exchange 3K installed. Thanks for the quick reply

Posted by: Phil Bishop at Jan 15, 2004 3:48:24 AM

No, its not configured! What do you suggest I do? Any help would be great

Posted by: Phil Bishop at Jan 15, 2004 4:35:01 AM

I only have one exchange server. No frontend backend configuration. Anyone else have seen the 440 Login Timeout error?

Posted by: thiel at Jan 15, 2004 3:49:53 PM

I sucessfully enabled forms based authentication and had the webmaster change the default login in page. You MUST have SSL enabled (Avalid Cert from a TRUST works best) Only then will FBA work. How far have you gotten? I took me a few tries to get it right, but I will be more than willing to share what I have learned to date. Feel free to check out the work on our sample site httpS://ppmservice.com/exchange

Posted by: Nestor Rentas at Jan 16, 2004 5:43:49 PM

I went through the same thing of having w2003 server and Exchange 2003 on the same box. No front end / back end. We configured it for SSL using the microsoft CA and it worked beautifully for 2 days. Now all we are getting are the 440 login timeout errors. I have no idea what "changed" to cause it to quit working.

Posted by: Brian at Jan 18, 2004 8:54:58 PM

What an experience! Everything works for me except SSL for OWA on Exch2003. I have reeemd the net and find nothing tutorial-wise to explain how to config SSL for OWA for *Exchange 2003*. I've experimented plenty -- ESM and IIS and CA made by microsofts wizzards shuffled every which way but *yes* - If someone out there knows how, please point me. W2k3 server (PDC) and Exch2003 same box, NAT behind dlink router. In basic authentication mode (clear text) everything AOK on intranet and internet. So what is the trick with SSL? Lottagud mcse didme, eh!

Posted by: Ken at Jan 20, 2004 8:22:00 PM

Is the DLink router configured to port forward the SSL traffic ie 443?

I know you're not using an ISA server, however you might get some good pointers from Tom Shinder's OWA publishing guide..

http://www.isaserver.org/tutorials/pubowa2003toc.html

Posted by: Chris Meirick at Jan 21, 2004 2:42:01 AM

I want to host a single exchange server offsite (at a colo accessible via internet) and have all the users access from their own machines via web browser or outlook 2002(and newer). Assuming that the users are not on Active Directory and many are running NT.... can they use both OWA and Outlook? i.e. can authentication be totally separate from their winNT domains? what should I do ? thanks.
mace

Posted by: Mace Wolf at Jan 27, 2004 10:22:50 PM

Mace,
I assume that you're referring to Exchange 2003? If so, you necessarily have to have Active Directory set up on that box. Only Exchange 5.5 can function without Active Directory.

If you go down this route of colocating your server at a data center, (even if you have a machine acting as a domain controller at your office) then you will have to make that colocated box a Domain Controller that acts independently from your office DC. This, of course, means that users can have different passwords for Windows and Outlook.

And yes, once you set it up, the colocated Exchange 2003 box can be accessed via MS Outlook 2000, Outlook 2002, and Outlook 2003, as well as via Outlook Web Access (OWA).

But, if you really don't want the hassle and expense of maintaining your own Exchange box, worrying about security, maintenance, and troubleshooting users' connections to the box (especially when they try to do it from home via Oulook), then you should consider a hosted solution. Shameless plug: We do offer Microsoft Exchange Hosting - both shared hosting and dedicated exchange servers. Check out www.123Together.com for more info!

-Robert Baron
www.123Together.com

Posted by: Robert Baron at Jan 31, 2004 5:07:46 PM

I've had the OWA functioning for a few weeks now, but tonight, I'm no longer getting the login form, instead I'm getting a directory listing similar to a text based ftp site. If I click on my mailbox directory (which is in the list), I'm then given the logon form, but when I log in, I'm sent back to a directory listing of all my mail folders - i.e.:
To Parent Directory
Calendar
Inbox
etc...
I was attempting to increase the session timeout last night, but the last time I checked everything was working fine...until tonight. Any thoughts?
Thanks, Randy

Posted by: Randy Warner at Feb 16, 2004 7:27:29 PM

We upgraded to Exchange 2003. We are still using the Basic Authentication and not the FBA.
However when we log in, it take you directly to the "Basic OWA". Is there anyway we can make it goto the "premium" directly instead??

I have been breaking my head on this for a while now.

Can anyone help me??

Thanks
Prem

Posted by: Prem at Feb 20, 2004 11:45:05 AM

Presumably you're using IE 5.0 or later?

You might want to check the following registry entry...

HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA
Value: ForceClientsDownLevel
DWORD: if set to 1 (enabled) basic OWA will be served-up - reset to 0

Posted by: Chris Meirick at Feb 21, 2004 8:07:54 AM

We are using ISA Server 2000 SP1 FP1, on Windows 2003 with Exchange 2003 with SSL.
The cert is loaded on the Exchange server as well as the ISA server.
The ISA Web Publishing Rule for OWA requires SSL. The IIS that runs Exchange 2003 (on a seperate box) does NOT require SSL, (exchange, exchweb, etc) is only using 'basic auth'.

I'm trying to make it secure, but not uneccesarily slow.
So I am terminating the SSL at the ISA and bridging HTTP with ISA. I think thats how you say it. Everything works fine, until I check the box to enable Forms Based Authentication.

Everything seems to still work, I just never get the Form Based Auth, I still get the old gray box asking for username/pass.

Can you provide any suggestions?
Thanks!

Posted by: Paul at Feb 25, 2004 8:54:48 AM

Hi Paul,

So, are you running with a FE server? If so, I believe the cert should be installed on this server (and also the ISA server) and not on the BE. This is how my FBA is set up.

Posted by: Chris Meirick at Feb 25, 2004 3:28:49 PM

Hi Chris,
Only one Exchange2003 server and one ISA2000 Server both running on Windows 2003 Server. No FrontEnd / BackEnd setup.
Thanks for any advice you may be able to offer.
Paul

Posted by: Paul at Feb 25, 2004 10:14:30 PM

Sounds like you don't have IIS completely configured correctly, check your authentication settings under your default website and the containers under it.

Posted by: brian at Mar 10, 2004 12:04:30 AM

my server is the dc and exchange server only server also set up as a certificate server. set up the ssl for the outlook web access turned on FBA. it will go through but it sssssssssssssssssssslowwwwwwww takes about 1 min to capture the cert then another 30 secs to pull the FBA

any ideas... I am not going to pay an SSL company.. when I can use my own cert server

Posted by: nick at Mar 15, 2004 4:37:08 PM

To get rid of the slow download/checking of the certificate, you should install the certificate on the local PC. Check this page for the instructions:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q297681

Once it's installed, the login page loads very fast, and also no more warning from SSL.

Posted by: wity at Mar 23, 2004 12:54:38 AM