Software

Exchange 2007: Enable an Outlook Web Access Logon Page


By default, forms-based authentication is not enabled for Outlook Web Access in Exchange2007. Forms-based authentication stores the user's user name and password in a cookie instead of in the browser. When the user leaves an OWA session or after the expiration of the inactivity period, the cookie is cleared. As a result, the user must re-authenticate to use OWA again. This is a good security measure.To enable the Outlook Web Access logon page, do the following:

  1. Open the Exchange Management Console.
  2. Choose Server Configuration > Client Access.
  3. Click the "Owa (Default Web Site)" entry.
  4. From the Action pane, choose the Properties option.
  5. From the Owa (Default Web Site) Properties page, click the Authentication tab. Under the "Use Forms-Based Authentication" option there are three options for enforcing a particular logon format. The Domain\User Name option is self-explanatory and is useful if you have multiple domains. The User Principal Name (UPN) option, or e-mail address format, is probably the easiest for users to remember since they use it all the time. The User Name Only option is the last option, which is also self explanatory. If you choose the User Name Only format, you also need to choose a Logon Domain.
  6. Click OK

Because this change affects IIS, you must restart IIS. From a command line on the Outlook Web Access server, issue the command iisreset /noforce.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

3 comments
csvegas
csvegas

When i attempt to enable the OWA as described i get a 440 timeout error. -Open the Exchange Management Console. -Choose Server Configuration > Client Access. -Click the ???Owa (Default Web Site)??? entry. -From the Action pane, choose the Properties option. -From the Owa (Default Web Site) Properties page, click the Authentication tab. -Under the ???Use Forms-Based Authentication??? option there are three options for enforcing a particular logon format. The Domain\User Name option is self-explanatory and is useful if you have multiple domains. The User Principal Name (UPN) option, or e-mail address format, is probably the easiest for users to remember since they use it all the time. The User Name Only option is the last option, which is also self explanatory. If you choose the User Name Only format, you also need to choose a Logon Domain. -Click OK Please provide some guidance. Thank you

griffon
griffon

are you sure that the Form-based is not enabled with E2K7. New Installation of EK7 have the form-based authentication option enabled !

brian.kronberg
brian.kronberg

There is a good reason it is not installed by default, because it must be turned off when using FBA through ISA 2006. All, and I do mean ALL, companies deploying Exchange 2007 OWA to Internet users need to use ISA 2006 to secure their OWA infrastructure. The benefits are huge: 1. OWA can be securely moved back inside the firewall and out of the DMZ 2. FBA on ISA will also allow single sign on (SSO) to other internal websites like SharePoint. 3. Easier integration of Exchange 2007 managed folders (connection to shared folders through OWA) as you do not have to open file sharing from the DMZ. 4. Use of a single certificate for multiple web sites. And more...