Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-25

This topic describes the authentication methods that you can use to help secure Outlook Web App on computers running Microsoft Exchange Server 2010 that have the Client Access server role installed.

Looking for management tasks related to securing client access? See Securing Client Access Servers.


Authentication Methods

Other Authentication Methods

Authentication Methods

You can configure the following types of authentication methods on an Exchange 2010 Client Access server:

  • Standard

  • Forms-based authentication

In addition, you can use the following types of authentication:

  • Microsoft Internet Security and Acceleration (ISA) Server forms-based authentication

  • Smart card and certificate authentication

  • RSA SecurID authentication

Standard and Forms-Based Authentication

You can configure standard and forms-based authentication methods for Outlook Web App by using the Exchange Management Console or the Exchange Management Shell.

  • Standard authentication methods   Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication. For more information about how to configure standard authentication methods, see Setting Up Standard Authentication Methods for Outlook Web App.

  • Forms-based authentication   Forms-based authentication creates a sign in page for Outlook Web App. Forms-based authentication uses cookies to store encrypted user sign in credentials and password information. For more information about forms-based authentication, see Setting Up Forms-Based Authentication for Outlook Web App.

If you configure multiple authentication methods, Internet Information Services (IIS) uses most restrictive method first. IIS then searches the list of available authentication protocols starting with the most restrictive until an authentication method that is supported by the client and the server is found.

The following table compares the standard and forms-based authentication methods using security level, handling of user sign-in credentials, and client requirements as the criteria.

Comparison of standard and forms-based authentication

Authentication method Security level How passwords are sent Client requirements

Basic authentication

Low (unless Secure Sockets Layer (SSL) is enabled)

Base 64-encoded clear text

All browsers support Basic authentication.

Digest authentication


Hashed by using MD5.

Microsoft Internet Explorer 5 through Internet Explorer 8.

Integrated Windows authentication

Low (unless SSL is enabled)

Hashed when Integrated Windows authentication is used; Kerberos ticket when Kerberos is used. Integrated Windows authentication includes the Kerberos and NTLM authentication methods.

Internet Explorer 2.0 through Internet Explorer 8 for Integrated Windows authentication.

Windows 2000 Server or Windows Server 2008 with Internet Explorer 5 through Internet Explorer 8 for Kerberos.

Forms-based authentication


Encrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure.

Internet Explorer

Return to top

Other Authentication Methods

There are other authentication methods that you can use to help secure Outlook Web App. These methods include:

  • ISA Server forms-based authentication   Using ISA Server, you can securely publish Outlook Web App servers by using mail server publishing rules. ISA Server also lets you configure forms-based authentication and control e-mail attachment availability to help protect resources for your organization when they're accessed through Outlook Web App. For more information about how to use ISA Server as an advanced firewall solution, see the Internet Security and Acceleration Server Web site.

  • Smart card and certificate authentication   Certificates can reside either in the certificate store on a client computer or on a smart card. A certificate authentication method uses the Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) protocols. In EAP-TLS certificate authentication, the client and the server prove their identities to one another. For example, an Outlook Web App client on a user's computer presents its user certificate to the Client Access server, and the Client Access server presents its computer certificate to the Outlook Web App client computer. This provides mutual authentication. For more information about smart card and other certificate authentication methods, see Windows Server 2008 and Windows Server 2008 R2

  • RSA SecurID authentication   You can use the third-party product, RSA SecurID, to configure RSA SecurID authentication methods on the Client Access server. For more information about RSA SecurID, see