Managing Outlook Web App Security
Applies to: Exchange Server 2010
This topic describes the authentication methods that you can use to help secure Outlook Web App on computers running Microsoft Exchange Server 2010 that have the Client Access server role installed.
Looking for management tasks related to securing client access? See Securing Client Access Servers.
Contents
Authentication Methods
Other Authentication Methods
Active Directory Federation Services
Authentication Methods
You can configure the following types of authentication methods on an Exchange 2010 Client Access server:
- Standard
- Forms-based authentication
In addition, you can use the following types of authentication:
- Microsoft Internet Security and Acceleration (ISA) Server forms-based authentication
- Smart card and certificate authentication
- RSA SecurID authentication
Standard and Forms-Based Authentication
You can configure standard and forms-based authentication methods for Outlook Web App by using the Exchange Management Console or the Exchange Management Shell.
- Standard authentication methods Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication. For more information about how to configure standard authentication methods, see Configuring Standard Authentication Methods for Outlook Web App.
- Forms-based authentication Forms-based authentication creates a sign in page for Outlook Web App. Forms-based authentication uses cookies to store encrypted user sign in credentials and password information. For more information about forms-based authentication, see Configuring Forms-Based Authentication for Outlook Web App.
If you configure multiple authentication methods, Internet Information Services (IIS) uses most restrictive method first. IIS then searches the list of available authentication protocols starting with the most restrictive until an authentication method that is supported by the client and the server is found.
The following table compares the standard and forms-based authentication methods using security level, handling of user sign-in credentials, and client requirements as the criteria.
Comparison of standard and forms-based authentication
Authentication method | Security level | How passwords are sent | Client requirements |
---|---|---|---|
Basic authentication |
Low (unless Secure Sockets Layer (SSL) is enabled) |
Base 64-encoded clear text |
All browsers support Basic authentication. |
Digest authentication |
Medium |
Hashed by using MD5. |
Microsoft Internet Explorer 5 through Internet Explorer 8. |
Integrated Windows authentication |
Low (unless SSL is enabled) |
Hashed when Integrated Windows authentication is used; Kerberos ticket when Kerberos is used. Integrated Windows authentication includes the Kerberos and NTLM authentication methods. |
Internet Explorer 2.0 through Internet Explorer 8 for Integrated Windows authentication. Windows 2000 Server or Windows Server 2008 with Internet Explorer 5 through Internet Explorer 8 for Kerberos. |
Forms-based authentication |
High |
Encrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure. |
Internet Explorer |
Return to top
Other Authentication Methods
There are other authentication methods that you can use to help secure Outlook Web App. These methods include:
- ISA Server forms-based authentication Using ISA Server, you can securely publish Outlook Web App servers by using mail server publishing rules. ISA Server also lets you configure forms-based authentication and control e-mail attachment availability to help protect resources for your organization when they're accessed through Outlook Web App. For more information about how to use ISA Server as an advanced firewall solution, see the Internet Security and Acceleration Server Web site.
- Smart card and certificate authentication Certificates can reside either in the certificate store on a client computer or on a smart card. A certificate authentication method uses the Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) protocols. In EAP-TLS certificate authentication, the client and the server prove their identities to one another. For example, an Outlook Web App client on a user's computer presents its user certificate to the Client Access server, and the Client Access server presents its computer certificate to the Outlook Web App client computer. This provides mutual authentication. For more information about smart card and other certificate authentication methods, see Windows Server 2008 and Windows Server 2008 R2
- RSA SecurID authentication You can use the third-party product, RSA SecurID, to configure RSA SecurID authentication methods on the Client Access server. For more information about RSA SecurID, see http://www.rsasecurity.com.
Active Directory Federation Services
Active Directory Federation Services (ADFS) extends the ability to use single sign-on functionality to Internet-facing applications. By using single sign-on and ADFS, you can give your customers, partners, and suppliers easy access to Web-based applications in your organization, such as Outlook Web App.