Use both integrated and forms-based authentication in OWA 2007
Exchange 2007 is an awesome product. I wanted to be able to use the automatic OWA login when a computer is logged into the domain with valid credentials, but have the ability to use forms-based login when you wanted to access another account that wasn't the currently logged in user. So:
(for 2007 site only, this might need to be done different in a mixed 07/03/5 env):
1. Create a new website (called FormsAuth in this example) in the IIS Manager on your Exchange box. (eg webmail.company.ca) This will be used for the forms-based login.
2. Create DNS A record for your new domain (and website)
3. Run in Exchange Management Shell-> New-OWAVirtualDirectory -OwaVersion:Exchange2007 -WebSiteName "FormsAuth"
4. Go into Exchange Management Console. Set owa (Default Web Site) to 'Integrated Windows Authentication' under the "Authentication" tab in properties.
5. Set owa (FormsAuth) to forms based login.
Now when you go to webmail.company.ca you will get the form login. If you go to the http://servername/owa it will log you in automatically.
posted by The Yam @ 1:30 PM
5 Comments:
Awesome idea. I am also in need of having both types of authentication, but my need is based on SharePoint. However, when running this command, I recieve the following error. Any ideas?
New-OwaVirtualDirectory : An error occurred while creating the IIS virtual dire
ctory 'IIS://server.corp.domain.com/W3SVC/1545172983/ROOT/owa' on 'SERVER'.
At line:1 char:24
+ New-OWAVirtualDirectory <<<< -OwaVersion:Exchange2007 -WebSiteName "FormsAuth"
I verified that is is trying to connect to the correct website, and the permissions look good.
Make sure to stop IIS services before running this command. You may also use the -Name property to change the name of the virtual directory.
Thank you, it worked perfect! I tried to do this for a long time.
I think its maybe important to mention that the new site sohuld point to the default Inetpub so there are no problems when exchange creates the new owa virtual directory.
I've been looking for this for a few days. We were trying to get the SharePoint webparts to work with Exchange 2007. Here are the steps that you can run through powershell to setup the site, etc.
md C:\Inetpub\Null
iisweb.vbs /create C:\Inetpub\Null IntAuth /b 801
net stop w3svc
new-owavirtualdirectory -websitename IntAuth
Set-OwaVirtualDirectory -Identity "owa (IntAuth)" -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $true
net start w3svc
Some tips which helped me get this working on 2007 Sp1. (Yes, "FormsAuth" home directory must be directed to C:\Inetpub\wwwroot)
1) Integrated - Change default SSL port on "Default" web site to say 444. Remove require SSL at "Default" web site (change this on the OWA subdirectory as well). 2)Forms - On "FormsAuth" use SSL port 443 and TCP port 8090, must have SSL enabled (on the OWA subdirectory too). I recommend you have a different SSL cert to your "Default" web site which matches your externally facing link. 3) Internal users (Integrated) access via http (which needs to be registered with internal DNS) and External users (Forms) access via https via externally facing link (which needs to be registered with external DNS). Also make sure that in EMC, (Server/Client), OWA authentication method for both OWA's matches above (i.e Integrated for Default and Forms for FormsAuth). Works a treat!
Post a Comment
<< Home