Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-11-13
This topic describes the authentication methods that you can use to help secure Microsoft Office Outlook Web Access on Microsoft Exchange Server 2007 computers that have the Client Access server role installed.
Client Access Servers in Exchange Server 2007 support more authentication methods than front-end servers in Exchange Server 2003. You can configure the following types of authentication methods on the Exchange 2007 Client Access server:
- Forms-based authentication
In addition, you can use the following forms of authentication, which are discussed in more detail at the end of this topic:
- ISA Server forms-based authentication
- Smart card and certificate authentication
- RSASecureID authentication
Standard and Forms-Based Authentication
You can configure standard and forms-based authentication methods for Outlook Web Access by using the Exchange Management Console or the Exchange Management Shell.
- Standard authentication
methods Standard authentication methods
include Integrated Windows authentication, Digest authentication,
and Basic authentication. For more information about how to
configure standard authentication methods, see Configuring Standard
Authentication Methods for Outlook Web Access.
- Forms-based authentication Forms-based
authentication creates a logon page for
Outlook Web Access. Forms-based authentication uses
cookies to store encrypted user logon credentials and password
information. For more information about forms-based authentication,
Forms-Based Authentication for Outlook Web Access.
Note: If you configure multiple authentication methods, Internet Information Services (IIS) uses most restrictive method first. IIS then searches the list of available authentication protocols starting with the most restrictive until an authentication method that is supported by the client and the server is found.
Comparison of Standard and Forms-Based Authentication Methods
Table 1 compares the standard and forms-based authentication methods by using security levels, handling of user logon credentials, and client requirements as the criteria.
Table 1 Comparison of standard and forms-based authentication
|Authentication method||Security level||How passwords are sent||Client requirements|
Low (unless Secure Sockets Layer (SSL) is enabled)
Base 64-encoded clear text
All browsers support Basic authentication.
Hashed by using MD5.
Microsoft Internet Explorer 5 or later versions
Integrated Windows authentication
Low (unless SSL is enabled)
Hashed when Integrated Windows authentication is used; Kerberos ticket when Kerberos is used. Integrated Windows authentication includes the Kerberos and NTLM authentication methods.
Internet Explorer 2.0 or later versions for Integrated Windows authentication.
Microsoft Windows 2000 Server or later versions with Internet Explorer 5 or later versions for Kerberos.
Encrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure.
Other Authentication Methods
There are other authentication methods that you can use to help secure Outlook Web Access. These methods include:
- ISA Server forms-based
authentication Using ISA Server, you can
securely publish Outlook Web Access servers by using mail
server publishing rules. ISA Server also lets you configure
forms-based authentication and control e-mail attachment
availability to help protect resources for your organization when
they are accessed through Outlook Web Access. For more
information about how to use ISA Server as an advanced firewall
solution, see the Internet Security and Acceleration Server Web
site. For information about how to use ISA Server with
Outlook Web Access, see Using ISA Server 2006
with Outlook Web Access.
- Smart card and certificate
authentication Certificates can reside either
in the certificate store on a client computer or on a smart card. A
certificate authentication method uses the Extensible
Authentication Protocol (EAP) and Transport Layer Security (TLS)
protocols. In EAP-TLS certificate authentication, the client and
the server prove their identities to one another. For example, an
Outlook Web Access client on a user's computer presents
its user certificate to the Client Access server, and the Client
Access server presents its computer certificate to the
Outlook Web Access client computer. This provides
mutual authentication. For more information about smart card and
other certificate authentication methods, see How to Configure Outlook
Web Access to Use a Smart Card.
- RSA SecurID authentication You can use
the third-party product, RSA SecurID, to configure RSA SecurID
authentication methods on the client Access server. For information
about how to use RSA SecurID with Outlook Web Access, see
How to Configure
RSA SecurID for Outlook Web Access. For more information about
RSA SecurID, see http://www.rsasecurity.com.
Note: The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.