Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-10-02

This topic describes how to configure forms-based authentication and the logon prompt that is used by forms-based authentication on a Microsoft Outlook Web Access virtual directory that is on a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed.

Forms-based authentication gives you three options for the default logon format. These options change only the text on the Outlook Web Access logon page. They do not cause a particular format to be required. The user can use any of the standard logon formats regardless of the text on the page.

FullDomain This is the domain and user name of the user in the format domain\user name. For example, for a user named Kweku in the domain Contoso, the logon would be contoso\kweku.
PrincipalName If user principal name (UPN) logon format is specified, the User Name field on the Outlook Web Access logon page guides the user to enter their e-mail address. For example, kweku@contoso.com. Users can access Outlook Web Access by entering their primary e-mail address or by entering their UPN.
UserName This is the user name only and does not include the domain name. For example, Kweku. If you use the UserName logon prompt for forms-based authentication, you must also specify the DefaultDomain property. The DefaultDomain property determines the default domain to use when a user tries to access Outlook Web Access. For example, if the default domain is Contoso, and a domain user named Kweku logs on to Outlook Web Access, only Kweku must be entered as the user name. The server will use the default domain Contoso. If the user is not a member of the Contoso domain, the domain and user name must be entered.

Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

If you set a virtual directory that supports Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 to use forms-based authentication, such as the default Exchange virtual directory, you must also set the Exchweb virtual directory to use forms-based authentication. If you do not set both virtual directories to use forms-based authentication, users whose mailboxes are on Exchange 2000 or Exchange 2003 mailbox servers will receive two authentication prompts.

The exact steps that you perform when you configure forms-based authentication for Outlook Web Access by using the Exchange Management Console depend on the following:

Whether you are running the original release to manufacturing (RTM) version of Exchange 2007 or Exchange 2007 Service Pack 1 (SP1).
Whether you are running the Mailbox server role on the computer that is running the Client Access server role.

For detailed information about these differences, see Managing Outlook Web Access Virtual Directories in Exchange 2007.

Procedure

Exchange 2007 SP1

To use the Exchange Management Console to configure forms-based authentication for Outlook Web Access

In the Exchange Management Console, locate the virtual directory that you want to configure to use forms-based authentication by using the information in step 2 or step 3.
If you are running the Mailbox server role on the computer that is running the Client Access server role, do one of the following:
- To modify an Exchange 2007 virtual directory, select Server Configuration, select Client Access, and then click the Outlook Web Access tab. The default Exchange 2007 virtual directory is /owa.
- To modify a legacy virtual directory, select Server Configuration, select Mailbox, and then click the WebDAV tab. The default legacy virtual directories are as follows: /Public, /Exchweb, /Exchange, and /Exadmin.
If you are not running the Mailbox server role on the computer that is running the Client Access server role, select Server Configuration, select Client Access, and then click the Outlook Web Access tab.
In the work pane, select the virtual directory that you want to configure to use forms-based authentication, and then click Properties.
Click the Authentication tab.
Select Use forms-based authentication.
Select the logon format that you want to use.

Note:

You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect.

Note:
You must restart Internet Information Services (IIS) by using the command `iisreset/noforce` for these changes to take effect.

To use the Exchange Management Shell to configure forms-based authentication for Outlook Web Access

To configure forms-based authentication on an Outlook Web Access virtual directory in the default IIS Web site on the local Exchange server, open the Exchange Management Shell and run the following command:
Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$true
To configure the type of logon method that is used by forms-based authentication, run one of the following commands.
- To configure a full domain logon format, run the following command:
  Copy Code
  
  Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat FullDomain
- To configure a UPN logon format, run the following command:
  Copy Code
  
  Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat PrincipalName
- To configure a user name logon format and set the default domain, run the following command:
  Copy Code
  
  Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat UserName -DefaultDomain "<domain name>"
  Note:
  
  You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect.

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$true

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat FullDomain

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat PrincipalName

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat UserName -DefaultDomain "<domain name>"

Note:
You must restart Internet Information Services (IIS) by using the command `iisreset/noforce` for these changes to take effect.

For more information about syntax and parameters, see Set-OwaVirtualDirectory.

Exchange 2007 RTM

To use the Exchange Management Console to configure forms-based authentication for Outlook Web Access

In the Exchange Management Console, select Server Configuration, and then select Client Access.
On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use forms-based authentication.
Click the Authentication tab.
Select Use forms-based authentication.
Select the logon format that you want to use.

Note:

You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect.

Note:
You must restart Internet Information Services (IIS) by using the command `iisreset/noforce` for these changes to take effect.

To use the Exchange Management Shell to configure forms-based authentication for Outlook Web Access

To configure forms-based authentication on an Outlook Web Access virtual directory in the default IIS Web site on the local Exchange server, open the Exchange Management Shell and run the following command:
Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$true
To configure the type of logon method that is used by forms-based authentication, run one of the following commands.
- To configure a full domain logon format, run the following command:
  Copy Code
  
  Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat FullDomain
- To configure a UPN logon format, run the following command:
  Copy Code
  
  Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat PrincipalName
- To configure a user name logon format and set the default domain, run the following command:
  Copy Code
  
  Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat UserName -DefaultDomain "<domain name>"
  Note:
  
  You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect.

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$true

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat FullDomain

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat PrincipalName

	Copy Code
Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat UserName -DefaultDomain "<domain name>"

Note:
You must restart Internet Information Services (IIS) by using the command `iisreset/noforce` for these changes to take effect.

For more information about syntax and parameters, see Set-OwaVirtualDirectory (RTM).

For More Information

For more information about forms-based authentication, see Configuring Forms-Based Authentication for Outlook Web Access.

For information about how to use Secure Sockets Layer (SSL) encryption to help secure Outlook Web Access, see How to Configure Outlook Web Access Virtual Directories to Use SSL.