Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-11-13

This topic describes the authentication methods that you can use to help secure Microsoft Office Outlook Web Access on Microsoft Exchange Server 2007 computers that have the Client Access server role installed.

Authentication Methods

Client Access Servers in Exchange Server 2007 support more authentication methods than front-end servers in Exchange Server 2003. You can configure the following types of authentication methods on the Exchange 2007 Client Access server:

  • Standard

  • Forms-based authentication

In addition, you can use the following forms of authentication, which are discussed in more detail at the end of this topic:

  • ISA Server forms-based authentication

  • Smart card and certificate authentication

  • RSASecureID authentication

Standard and Forms-Based Authentication

You can configure standard and forms-based authentication methods for Outlook Web Access by using the Exchange Management Console or the Exchange Management Shell.

  • Standard authentication methods   Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication. For more information about how to configure standard authentication methods, see Configuring Standard Authentication Methods for Outlook Web Access.

  • Forms-based authentication   Forms-based authentication creates a logon page for Outlook Web Access. Forms-based authentication uses cookies to store encrypted user logon credentials and password information. For more information about forms-based authentication, see Configuring Forms-Based Authentication for Outlook Web Access.

    If you configure multiple authentication methods, Internet Information Services (IIS) uses most restrictive method first. IIS then searches the list of available authentication protocols starting with the most restrictive until an authentication method that is supported by the client and the server is found.

Comparison of Standard and Forms-Based Authentication Methods

Table 1 compares the standard and forms-based authentication methods by using security levels, handling of user logon credentials, and client requirements as the criteria.

Table 1   Comparison of standard and forms-based authentication

Authentication method Security level How passwords are sent Client requirements

Basic authentication

Low (unless Secure Sockets Layer (SSL) is enabled)

Base 64-encoded clear text

All browsers support Basic authentication.

Digest authentication


Hashed by using MD5.

Microsoft Internet Explorer 5 or later versions

Integrated Windows authentication

Low (unless SSL is enabled)

Hashed when Integrated Windows authentication is used; Kerberos ticket when Kerberos is used. Integrated Windows authentication includes the Kerberos and NTLM authentication methods.

Internet Explorer 2.0 or later versions for Integrated Windows authentication.

Microsoft Windows 2000 Server or later versions with Internet Explorer 5 or later versions for Kerberos.

Forms-based authentication


Encrypts user authentication information and stores it in a cookie. Requires SSL to keep the cookie secure.

Internet Explorer 

Other Authentication Methods

There are other authentication methods that you can use to help secure Outlook Web Access. These methods include:

  • ISA Server forms-based authentication   Using ISA Server, you can securely publish Outlook Web Access servers by using mail server publishing rules. ISA Server also lets you configure forms-based authentication and control e-mail attachment availability to help protect resources for your organization when they are accessed through Outlook Web Access. For more information about how to use ISA Server as an advanced firewall solution, see the Internet Security and Acceleration Server Web site. For information about how to use ISA Server with Outlook Web Access, see Using ISA Server 2006 with Outlook Web Access.

  • Smart card and certificate authentication   Certificates can reside either in the certificate store on a client computer or on a smart card. A certificate authentication method uses the Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) protocols. In EAP-TLS certificate authentication, the client and the server prove their identities to one another. For example, an Outlook Web Access client on a user's computer presents its user certificate to the Client Access server, and the Client Access server presents its computer certificate to the Outlook Web Access client computer. This provides mutual authentication. For more information about smart card and other certificate authentication methods, see How to Configure Outlook Web Access to Use a Smart Card.

  • RSA SecurID authentication   You can use the third-party product, RSA SecurID, to configure RSA SecurID authentication methods on the client Access server. For information about how to use RSA SecurID with Outlook Web Access, see How to Configure RSA SecurID for Outlook Web Access. For more information about RSA SecurID, see

    The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.