Forefront Unified Access Gateway (UAG) with Service Pack 1 – Forms Based Authentication to OWA

Forefront Unified Access Gateway (UAG) with Service Pack 1 – Forms Based Authentication to OWA

Disclaimer:

UAG Service Pack 1 removes the ability of UAG to delegate Form based credentials into all versions of OWA. This was done as part of the product design as there were many cases and scenarios in which the formlogin with OWA was not able to meet the requirements of login into OWA. Because of the extensive design change that would be required to implement this functionality the product group determined that removing the formlogin functionality with OWA was the only available solution. The recommendation to allow automatic credential delegation with OWA is to use Basic authentication to the CAS.

The CAS can be configured using the following instructions so that both Basic and FormLogin will be available:

  1. Assign each CAS server with 2 IP addresses
  2. Keep the CAS configuration as FBA, and in IIS, bind the OWA website also to the 2nd IP, and configure that second IP to use Basic/NTLM authentication
  3. In the UAG configuration, set UAG to publish the second IP address of the CAS server

http://blogs.technet.com/b/exchange/archive/2011/01/17/3411832.aspx discusses how to make this for Exchange 2010

http://blogs.technet.com/b/exchange/archive/2008/01/07/3404614.aspx discusses how to make this change on Exchange 2007

Therefore - the following content is presented "as is" and is not considered a supported configuration by the product team.




Overview:

Microsoft has not officially supported publishing OWA when FBA (Forms Based Authentication) was enabled.  Up until SP1 in UAG, it worked.  With SP1, it has stopped working and to be honest, it should not work as forms based authentication is not as secure as Kerberos.  Step 7 in the application wizard no longer asks for 401 or forms authentication, as seen below:

For those customers who still need this and have deployed SP1, this article walks you through getting this functionality back.

Setup:

Step 1.               Install UAG and Service Pack 1.



Step 2.               Run the Add Application Wizard, select Web è Other Web Application as shown below:

Step 3.               At step 2 in the Application Type, type either ExchangePub2010 or ExchangePub2007 (if using Exchange 2007) as shown below:





Step 4.               At Step 5, add the following paths (as shown below).  You will have to complete the wizard and edit the application to add all the needed paths.

      • /owa/
      • /exchange/
      • /exchweb/
      • /iisadmpwd/
      • /public/
      • /ECP/
      • /ECP
      • /owa

 

  

Step 5.              At Step6, you will select your authenticaiton source and the "HTML Form" authentication as shown below:

   

Step 6.               At step 7, you will want to add the Icon URL as: images/AppIcons/OWA2010.gif as shown below:

 

 

 

 

Step 7.              Complete the wizard, add the missing URLs from Step4 and activate the configuration.  Now when you access the OWA site, you should briefly see the forms login, and UAG will fill in this form and submit it.

Author:

Kevin Saye, Security Technical Specialist, Microsoft

Contributor:

Jason Jones (Forefront MVP), Principal Security Consultant, Silversands Limited

Leave a Comment
  • Please add 4 and 4 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Thomas W Shinder - MSFT edited Revision 2. Comment: Insert PG disclaimer

  • While I agree in principle with your comment about kerberos being more secure, how else would one support cross-browser, cross-platform situations?

  • Fernando Lugão Veltem edited Revision 4. Comment: added toc

Page 1 of 1 (3 items)