Applies to: Exchange Server 2007
Topic Last Modified: 2007-07-10

Use the Authentication tab to specify authentication methods, logon format, and logon domain.

Use one or more standard authentication methods

Select this option to use one or more of the following standard authentication methods:

  • Integrated Windows authentication   This method requires that users have a valid Microsoft Windows 2000 Server or Windows Server 2003 user account name and password to access information. Users are not prompted for their account names and passwords; instead, the server negotiates with the Windows security packages that are installed on the client computer. Integrated Windows authentication enables the server to authenticate users without prompting them for information and without transmitting information that is not encrypted over the network. For this method to work, the client computer must be a member of the same domain as the servers that are running Microsoft Exchange, or of a domain that is trusted by the domain that the Exchange server is in.

  • Digest authentication for Windows domain servers   This method transmits passwords over the network as a hash value for additional security. Digest authentication can be used only in Windows Server 2003 and Windows 2000 Server domains for users who have an account that is stored in the Active Directory directory service. For more information about digest authentication, see the Windows Server 2003 documentation.

  • Basic authentication (password is sent in clear text)   This method is a simple authentication mechanism that is defined by the HTTP specification that encodes a user's logon name and password before the user's credentials are sent to the server. To make sure that the password is as secure as possible, you should use Secure Sockets Layer (SSL) encryption between client computers and the server that has the Client Access server role installed.

Use forms-based authentication
  • Select this option to use forms-based authentication. Forms-based authentication provides enhanced security for Microsoft Outlook Web Access virtual directories that are located on Client Access servers.

  • Instead of a pop-up window, forms-based authentication creates a logon page for Outlook Web Access. You can configure the type of logon prompt that is used by forms-based authentication. For example, you can configure forms-based authentication to require users to provide their domain and user name information, in the domain\user name format on the Outlook Web Access logon page.

Important:
Forms-based authentication is not secure unless SSL has been enabled.
  • Domain\user name   This is the domain and user name of the user in the format domain\user name. For example, for a user named Kweku in the domain Contoso, the logon would be contoso\kweku.

  • User principal name (UPN)    If user principal name (UPN) logon format is specified, the User Name field on the Outlook Web Access logon page guides the user to enter their e-mail address. For example, kweku@contoso.com. If a user's UPN is not identical to their e-mail address, the user cannot access Outlook Web Access by using the PrincipalName logon prompt. We recommend that you do not use the PrincipalName logon prompt if users' UPNs do not match their e-mail addresses.

  • User name only    This is the user name only and does not include the domain name. For example, Kweku. If you use the UserName logon prompt for forms-based authentication, you must also specify the DefaultDomain property. The DefaultDomain property determines the default domain to use when a user tries to access Outlook Web Access. For example, if the default domain is Contoso, and a domain user named Kweku logs on to Outlook Web Access, only Kweku must be entered as the user name. The server will use the default domain Contoso. If the user is not a member of the Contoso domain, the domain and user name must be entered.