Applies to: Exchange Server 2010 SP1

Topic Last Modified: 2009-10-14

You can use the EMC or the Shell to configure Outlook Web App authentication to work with Active Directory Federation Services (ADFS). ADFS extends the ability to use single sign-on functionality that's available in a single security or enterprise boundary to Internet-facing applications. By using single sign-on, your customers, partners, and suppliers can have a streamlined user experience when they access Web-based applications, such as Outlook Web App.

The timed logoff in ADFS, also known as session expiration, doesn't interoperate with Outlook Web App. You must turn off timed logoff in ADFS to use ADFS with Outlook Web App.

ADFS supports Windows NT token-based applications and claims-aware applications. Outlook Web App is a Windows NT token-based application. When you configure ADFS for Outlook Web App, make sure you follow the instructions for a token-based application.

To use ADFS with Outlook Web App, you must configure Outlook Web App to accept anonymous access.

Caution:
Outlook Web App shouldn't be configured to accept anonymous access unless it's being accessed through a connection that requires authentication, such as through ADFS. Because configuring Outlook Web App to accept anonymous access is a potential security risk, when you configure Outlook Web App and Internet Information Services (IIS) to accept anonymous access, you'll receive warnings that you've turned off all authentication methods.

After you've disabled all forms of authentication on an Outlook Web App virtual directory by using the EMC or the Shell, you must use IIS Manager to enable anonymous access on that virtual directory in IIS.

To learn more about ADFS and how to prepare an ADFS deployment for Outlook Web App, see Active Directory Federation Services and Deploying Federated Applications.

Looking for other management tasks related to Outlook Web App security? Check out Managing Outlook Web App Security.

Use the EMC to configure Outlook Web App to have no authentication method

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Outlook Web App virtual directories" entry in the Client Access Permissions topic.

  1. In the console tree, navigate to Server Configuration > Client Access.

  2. Click the server that hosts the Outlook Web App virtual directory.

    Note:
    To enable Outlook Web App to accept anonymous access, you must disable all forms of authentication.
  3. On the Outlook Web App tab, open the properties of the virtual directory that you want to configure to use anonymous access, and then click the Authentication tab.

  4. Select Use one or more of standard authentication methods.

  5. Don't select an authentication method. If any authentication method is selected, click the check box to clear it.

  6. Click OK.

  7. You'll receive a warning that you haven't chosen an authentication method and that directs you to use the Shell to set an authentication method. Click OK to close the warning.

  8. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

Use the Shell to configure Outlook Web App to have no authentication method

Use IIS Manager to enable anonymous access on a virtual directory