Configuring Standard Authentication Methods for Outlook Web Access

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2006-09-05

This topic describes standard authentication methods that help secure your computers that are running Microsoft Exchange Server 2007 that have the Client Access server role installed for Microsoft Office Outlook Web Access.

In Exchange 2007, Client Access servers support Integrated Windows authentication and HTTP 1.1 Digest authentication for Exchange 2007 virtual directories. Exchange 2000 and Exchange 2003 virtual directories on a server that is running only the Client Access server role support only Basic and forms-based authentication.

Exchange Server 2003 back-end servers support forms-based, Basic, Integrated Windows, and Digest authentication. Exchange Server 2003 front-end servers do not support Integrated Windows or Digest authentication.

This section describes standard authentication methods. Standard authentication methods include Basic authentication, Digest authentication, and Integrated Windows authentication.

By default, Exchange 2007 enables forms-based authentication.

Basic authentication is a simple authentication mechanism that is defined by the HTTP specification that encodes a user's logon name and password before the user's credentials are sent to the server.

Basic authentication does not support single sign-on. Microsoft Windows Server 2003 authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the domain one time by using a single password or smart card and authenticate to any computer in the domain.

Basic authentication is supported by all Web browsers, but is not secure unless you require Secure Sockets Layer (SSL) encryption.

Digest authentication transmits passwords over the network as a hash value for additional security. Digest authentication can be used only in Windows Server 2003 and Windows 2000 Server domains for users who have an account that is stored in the Active Directory directory service. For more information about Digest authentication, see the Windows Server 2003 and Internet Information Services (IIS) Manager documentation.

Digest authentication is available only on Exchange 2007 virtual directories.

If you are using Digest or Basic authentication, when a user uses a kiosk, caching credentials can pose a security risk if the user cannot close the browser and end the browser process between sessions. This risk occurs because a user's credentials remain in the cache when the next user accesses the kiosk. To enable Outlook Web Access on a kiosk, make sure that the user can close the browser between sessions and end the browser processes. Otherwise, consider using a third-party product that incorporates two-factor authentication, in which the user must present a physical token together with a password to use Outlook Web Access on the kiosk.

Integrated Windows authentication requires that users have a valid Windows 2000 Server or Windows Server 2003 user account name and password to access information. Users logged on to the local network are not prompted for their user names and passwords. Instead, the server negotiates with the Windows security packages that are installed on the client computer. This method enables the server to authenticate users without prompting them for logon information. The authentication credentials are protected, but all other communication will be sent in clear text unless SSL is used.

Microsoft Internet Explorer allows single sign-on for Web applications that include Outlook Web Access Web parts if the server that is being accessed has Integrated Windows authentication enabled. Users have to enter credentials only one time for each browser session. However, their credentials are cached in the browser process.

On an Exchange 2007 server on which only the Client Access server role is installed, Integrated Windows authentication can be used only with Exchange 2007 virtual directories. On a server that has both the Client Access and Mailbox roles installed, Integrated Windows authentication can be used with any virtual directory. For more information about Integrated Windows authentication, see the Windows Server 2003 documentation.

Integrated Windows authentication is supported only on computers that are running a Windows operating system and Internet Explorer. Integrated Windows authentication may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.


Community Additions