Recipe 8.14. Enabling the Use of FBA/SSL with Outlook Mobile Access and Exchange ActiveSync Problem You need to allow access from mobile devices using Outlook Mobile Access (OMA) or Exchange ActiveSync (EAS) but you have SSL or form-based authentication enabled on your Exchange virtual server, which is not supported by EAS and OMA. Solution Using a graphical user interface Open the IIS Manager snap-in from the Administrative Tools menu in the Start menu. Expand the Web Sites and Default Web Site objects. Right-click the Exchange virtual directory and choose All Tasks Save Configuration to a File. Provide a name for the file and click OK. Right-click Default Web Site and choose New Virtual Directory (from file). Click Browse, select the file you saved in step 3, click Open, and click Read File. Select Exchange as the configuration to import and click OK. Since the Exchange virtual directory already exists on this server, you will be prompted to provide an alternative name for the new virtual directory. Enter a name and click OK. Right-click the new virtual directory and choose Properties. Click the Directory Security tab. Under Authentication and access control, click the Edit button. Ensure that both Integrated Windows authentication and Basic authentication are selected. Click OK. Under IP address and domain name restrictions, click the Edit button. Select Denied access and add a single computer entry with the IP address of the local server. Click OK. Under Secure communications, click the Edit button. Clear the Require secure channel (SSL) checkbox. Click OK twice and close the IIS management console. Open the Registry Editor (RegEdit.exe) and navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters key. Create a new string value named ExchangeVDir. For its value, enter the name of the virtual directory you chose in step 6, prepended by a slash. Close the Registry Editor. Stop and restart the IIS Admin service.
Discussion There are two basic problems that can happen when you try to enable mobile devices and SSL/FBA on the same virtual server: Neither OMA nor EAS can use SSL for WebDAV connections to the Exchange server. Since FBA requires SSL, enabling FBA will automatically prevent mobile devices from synchronizing. Note that EAS used to require SSL, but this is no longer the case. While OMA uses Kerberos, NTLM, and Basic authentication, EAS requires Kerberos authentication. When you enable FBA, that automatically turns off everything except basic authentication, so EAS can't authenticate.
There are two possible solutions: deploy a separate front-end server for your mobile clients (see MS KB 818476 for more details) or create a new virtual directory with different authentication settings. The steps in this recipe create a separate virtual server just for mobile client WebDAV access; because IIS stores authentication settings on a per-virtual-server basis, the new virtual directory can have different settings that work properly. The change should be transparent to your mobile clientsother than the fact that their users will notice their connections start working! See Also MS KB 817379 (Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003) and MS KB 818476 (You can configure either Exchange Server 2003 Standard Edition or Exchange Server 2003 Enterprise Edition as a front-end server) |
