Front-end server is using basic authentication

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether basic authentication is configured between a front-end server and a back-end server:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\MSExchangeWeb\DAV\UseBasicAuthToBE

If the Exchange Server Analyzer finds that the UseBasicAuthToBE key has been set, a non-default configuration message is displayed.

By default, Exchange Server 2003 front-end servers will use Kerberos authentication to help protect user credentials between the front-end and back-end servers. If Kerberos authentication fails, a Warning event will be logged and the front-end server will try NTLM instead. If NTLM fails, an error will be logged. Kerberos is tried again in 30 minutes. When Exchange 2000 Server or Exchange Server 2003 front-end computers authenticate with Exchange 2000 Server back-end computers, NTLM is used.

Setting the UseBasicAuthToBE registry key overrides this default logic and forces the Exchange front-end servers to use basic authentication for all communications with back-end servers. If you have more than 1,000 mailbox stores in your Exchange organization, you must set this registry key. A known issue exists where users who are accessing mailboxes from Microsoft Office Outlook® Web Access for Exchange Server 2003 through front-end servers in organizations with more than 1,000 mailbox stores cannot access their mailboxes.

If you do not have more than 1,000 mailbox stores, and you do not have a reason for forcing basic authentication, consider deleting the UseBasicAuthToBE registry key.

Basic authentication sends credentials in clear text. If you are running an Exchange front-end server with the UseBasicAuthToBE registry key set, it is highly recommended that you use IPSec encryption.

Important

This article contains information about editing the registry. Before you edit the registry, make sure you that understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To delete the UseBasicAuthToBE registry key

  1. On the Exchange front-end server, open a registry editor, such as Regedit.exe or Regedt32.exe.

  2. Navigate to: HKLM\System\CurrentControlSet\Service\MSExchangeWeb\Dav\ UseBasicAuthToBE.

  3. Right-click UseBasicAuthToBE, click Delete, and then click Yes.

  4. Open the Services MMC snap-in, right-click IIS Admin Service, and then click Restart.

Before you edit the registry, and for information about how to edit the registry, see the Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows Registry" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).