Recipe8.8.Configuring Form-Based Authentication for OWA 2003

Recipe 8.8. Configuring Form-Based Authentication for OWA 2003

Problem

You want to enable form-based authentication (FBA) for your OWA 2003 servers.

Solution

Using a graphical user interface

1. Open the Exchange System Manager (Exchange System Manager.msc).

2. In the left pane, expand the appropriate Administrative Groups container and expand the Servers container.

3. Expand the target server and expand its Protocols container.

4. Expand the HTTP node, then right-click the Exchange Virtual Server object and choose Properties.

5. Switch to the Settings tab.

6. Click the Enable Forms Based Authentication checkbox.

7. Optionally, select a compression method from the Compression pulldown. (See the Discussion section for more on compression.)

8. Click OK.

9. ESM will display a warning dialog telling you that FBA requires SSL. Click OK.

10. Restart IIS by opening a command window and using the iisreset command.

Discussion

The idea behind FBA is simple, but understanding it requires some background. If you've used the Exchange 5.5 version of OWA, you probably remember its logon form, which was embedded in an HTML page. The Exchange 2000 version of OWA did away with this logon page; instead, when you try to log on to Exchange, your browser would prompt for logon credentials. In Exchange Server 2003, you get to choose the approach you preferbut which one is better? The difference between these two approaches is significant but subtle.

When a web browser gets an authentication request from a server, it has to ask the user for credentials. After the user types his credentials in, the browser could make him type them over and over again for subsequent pages; instead, browsers cache the credentials and send them for each subsequent page. This is easy for the user, but it raises some potential security problems. If the credentials are protected using basic authentication, an attacker could easily capture them from an unencrypted connection. Even if the connection is encrypted, there's no good way to force the browser to "forget" the credentials after a set time period has passedleading to the sadly common situation where user A logs on to OWA, leaves the machine, and has user B come along and continue their OWA session.

FBA attacks this problem by eliminating the browser's access to credentials. When you use the OWA 2003 logon page, your credentials are sent as form fields to the Exchange server, but the communication is protected by SSL (which is why FBA requires SSL). The user name and password arrive at the server, which uses them to authenticate you against the Exchange mailbox you've requested access to. If the authentication request succeeds, the OWA server sends an encrypted cookie back to your browser. The browser supplies the cookie on each subsequent page reload, and the server can decrypt it and see if it's valid. Net result: credentials are only sent once, and the rest of the time the cookie is passed from client to server. Better still, the server controls the contents of the cookie, so it can include a time stamp. By checking the time-stamp value each time the cookie is presented by the browser, it's possible to set session time limits (as described in Recipe 8.10); once the timestamp indicates that the cookie has expired, the server redirects the user to the logon page to get a new cookie.

See Also

Recipe 8.10 for setting OWA's session timeout limits, MS KB 830827 (How to manage Outlook Web Access features in Exchange Server 2003), Chapter 14 of Secure Messaging with Exchange Server 2003 (MS Press), and Chapter 2 of the Exchange Server 2003 Client Access Guide (http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3ClientAccGuide/7ff636d5-a97d-4ac9-a090-10eb428ccf83.mspx)