Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-25
This topic describes the authentication methods that you can use to help secure Outlook Web App on computers running Microsoft Exchange Server 2010 that have the Client Access server role installed.
Looking for management tasks related to securing client access? See Securing Client Access Servers.
You can configure the following types of authentication methods on an Exchange 2010 Client Access server:
- Forms-based authentication
In addition, you can use the following types of authentication:
- Microsoft Internet Security and Acceleration (ISA) Server
- Smart card and certificate authentication
- RSA SecurID authentication
Standard and Forms-Based Authentication
You can configure standard and forms-based authentication methods for Outlook Web App by using the Exchange Management Console or the Exchange Management Shell.
- Standard authentication
methods Standard authentication methods
include Integrated Windows authentication, Digest authentication,
and Basic authentication. For more information about how to
configure standard authentication methods, see Setting Up Standard
Authentication Methods for Outlook Web App.
- Forms-based authentication Forms-based
authentication creates a sign in page for Outlook Web App.
sign in credentials and password information. For more information
about forms-based authentication, see Setting Up Forms-Based
Authentication for Outlook Web App.
If you configure multiple authentication methods, Internet Information Services (IIS) uses most restrictive method first. IIS then searches the list of available authentication protocols starting with the most restrictive until an authentication method that is supported by the client and the server is found.
The following table compares the standard and forms-based authentication methods using security level, handling of user sign-in credentials, and client requirements as the criteria.
Comparison of standard and forms-based authentication
|Authentication method||Security level||How passwords are sent||Client requirements|
Low (unless Secure Sockets Layer (SSL) is enabled)
Base 64-encoded clear text
All browsers support Basic authentication.
Hashed by using MD5.
Microsoft Internet Explorer 5 through Internet Explorer 8.
Integrated Windows authentication
Low (unless SSL is enabled)
Hashed when Integrated Windows authentication is used; Kerberos ticket when Kerberos is used. Integrated Windows authentication includes the Kerberos and NTLM authentication methods.
Internet Explorer 2.0 through Internet Explorer 8 for Integrated Windows authentication.
Windows 2000 Server or Windows Server 2008 with Internet Explorer 5 through Internet Explorer 8 for Kerberos.
Encrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure.
Other Authentication Methods
There are other authentication methods that you can use to help secure Outlook Web App. These methods include:
- ISA Server forms-based
authentication Using ISA Server, you can
securely publish Outlook Web App servers by using mail server
publishing rules. ISA Server also lets you configure forms-based
authentication and control e-mail attachment availability to help
protect resources for your organization when they're accessed
through Outlook Web App. For more information about how to use ISA
Server as an advanced firewall solution, see the Internet Security and Acceleration Server Web
- Smart card and certificate
authentication Certificates can reside either
in the certificate store on a client computer or on a smart card. A
certificate authentication method uses the Extensible
Authentication Protocol (EAP) and Transport Layer Security (TLS)
protocols. In EAP-TLS certificate authentication, the client and
the server prove their identities to one another. For example, an
Outlook Web App client on a user's computer presents its user
certificate to the Client Access server, and the Client Access
server presents its computer certificate to the Outlook Web App
client computer. This provides mutual authentication. For more
information about smart card and other certificate authentication
methods, see Windows Server 2008 and Windows Server 2008 R2
- RSA SecurID authentication You can use
the third-party product, RSA SecurID, to configure RSA SecurID
authentication methods on the Client Access server. For more
information about RSA SecurID, see http://www.rsasecurity.com.