Configuring Authentication for Outlook Web Access

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2007-04-10

This topic explains the types of authentication that are available for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007. The authentication method that is best for your organization depends on your organization's security needs. By default, Outlook Web Access uses forms-based authentication and is configured to use Secure Sockets Layer (SSL) encryption.

Microsoft Exchange Server 2003 back-end servers support forms-based, Basic, Integrated Windows, and Digest authentication. Exchange Server 2003 front-end servers do not support Integrated Windows or Digest authentication.

Forms-based authentication enables a logon page for Outlook Web Access that uses a cookie to store a user's encrypted logon credentials in the Internet browser. Tracking the use of this cookie enables the Exchange server to monitor the activity of Outlook Web Access sessions on public and private computers. If a session is inactive for too long, the server blocks access until the user re-authenticates.

The first time that the user name and password are sent to the Client Access server to authenticate an Outlook Web Access session, an encrypted cookie is created that is used to track user activity. When the user closes the Internet browser or clicks Log Off to log off from their Outlook Web Access session, the cookie is cleared. The user name and password are sent to the Client Access server only for the initial user logon. After the initial logon is complete, only the cookie is used for authentication between the client computer and the Client Access server.

For more information about forms-based authentication and how to configure it, see:

The cookie time-out is set based on the user's choice of either the This is a public or shared computer option or the This is a private computer option on the Outlook Web Access logon page. By default, the cookie on the computer expires automatically and the user is logged off after they have not used Outlook Web Access for 15 minutes if they have selected the public computer option, and after they have not used Outlook Web Access for eight hours if they have selected the private computer option.

Automatic time-out is valuable because it helps protect users' accounts from unauthorized access. To match the security requirements of your organization, you can configure the inactivity time-out values on the Exchange Client Access server.

Although automatic time-out greatly reduces the risk of unauthorized access, it does not completely eliminate the possibility that an unauthorized user might access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you warn users to take precautions to avoid risks, such as by telling them to log off from Outlook Web Access and close the Web browser after they have finished using Outlook Web Access.

For more information about how to configure the cookie time-out values for public and private computers, see:

This topic describes standard authentication methods that help secure your Exchange 2007 Client Access servers for Outlook Web Access.

In Exchange 2007, Client Access servers support Integrated Windows authentication and HTTP 1.1 Digest authentication for Exchange 2007 virtual directories. Exchange 2000 and Exchange 2003 virtual directories on a server that is running only the Client Access server role support only Basic and forms-based authentication.

For more information about standard authentication methods, see Configuring Standard Authentication Methods for Outlook Web Access.

Basic authentication is a simple authentication mechanism that is defined by the HTTP specification that encodes a user's logon name and password before the user's credentials are sent to the server.

Basic authentication does not support single sign-on. Windows Server 2003 authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the domain one time by using a single password or smart card and authenticate to any computer in the domain.

Basic authentication is supported by all Web browsers, but is not secure unless you require Secure Sockets Layer (SSL) encryption.

For more information about how to configure Basic authentication on an Outlook Web Access virtual directory, see How to Configure Basic Authentication.

Digest authentication transmits passwords over the network as a hash value for additional security. Digest authentication can be used only in Microsoft Windows Server 2003 and Microsoft Windows 2000 Server domains for users who have an account that is stored in the Active Directory directory service. For more information about Digest authentication, see the Windows Server 2003 and Internet Information Services (IIS) Manager documentation.

Digest authentication is available only on Exchange 2007 virtual directories.

If you are using Digest or Basic authentication, when a user uses a kiosk, caching credentials can pose a security risk if the user does not close the browser and end the browser process between sessions. This risk occurs because a user's credentials remain in the cache when the next user accesses the kiosk. To enable Outlook Web Access on a kiosk, make sure that the user can close the browser between sessions and end the browser processes. Otherwise, consider using a third-party product that incorporates two-factor authentication, in which the user must present a physical token together with a password to use Outlook Web Access on a kiosk.

For more information about how to configure Digest authentication on an Outlook Web Access virtual directory, see How to Configure Digest Authentication.

Integrated Windows authentication requires that users have a valid Windows 2000 Server or Windows Server 2003 user account name and password to access information. Users logged on to the local network are not prompted for their user names and passwords. Instead, the server negotiates with the Windows security packages that are installed on the client computer. This method enables the server to authenticate users without prompting them for logon information. The authentication credentials are protected, but all other communication will be sent in clear text unless SSL is used.

Microsoft Internet Explorer allows single sign-on for Web applications that include Outlook Web Access Web Parts if the server that is being accessed has Integrated Windows authentication enabled. Users must enter credentials only one time for each browser session. However, their credentials are cached in the browser process.

On an Exchange 2007 server on which only the Client Access server role is installed, Integrated Windows authentication can be used only with Exchange 2007 virtual directories. On a server that has both the Client Access and Mailbox roles installed, Integrated Windows authentication can be used with any virtual directory. For more information about Integrated Windows authentication, see the Windows Server 2003 documentation.

Integrated Windows authentication is supported only on computers that are running a Windows operating system and Internet Explorer. Integrated Windows authentication may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.

For more information about how to configure Integrated Windows authentication on an Outlook Web Access virtual directory, see How to Configure Integrated Windows Authentication.