Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-07-19

This topic explains how to use the Exchange Management Console or the Exchange Management Shell to configure Microsoft Office Outlook Web Access authentication to work with Active Directory Federation Services (ADFS). ADFS extends the ability to use single sign-on functionality that is available in a single security or enterprise boundary to Internet-facing applications. By using SSO, your customers, partners, and suppliers can have a streamlined user experience when they access Web-based applications, such as Outlook Web Access.

About Outlook Web Access and ADFS

When authentication is performed by using ADFS, Outlook Web Access can be used to access only Exchange 2007 mailboxes. ADFS does not support Outlook Web Access access to Exchange 2000 or Exchange 2003 mailboxes, even when the connection to the mailbox is made through an Exchange 2007 Client Access server.

In ADFS, the timed logoff, also known as session expiration, does not interoperate with Outlook Web Access. You must turn off timed logoff in ADFS to use ADFS with Outlook Web Access.

ADFS supports Windows NT token-based applications and claims-aware applications. Outlook Web Access is a Windows NT token-based application. When you configure ADFS for Outlook Web Access, make sure that you follow the instructions for a token-based application.

To use ADFS with Outlook Web Access, you must configure Outlook Web Access to accept anonymous access.

Caution:
Outlook Web Access should not be configured to accept anonymous access unless it is being accessed through a connection that requires authentication, such as through ADFS. Because configuring Outlook Web Access to accept anonymous access is a potential security risk, when you configure Outlook Web Access and Internet Information Services (IIS) to accept anonymous access, you will receive warnings that you have turned off all authentication methods.

To learn more about ADFS and how to prepare an ADFS deployment for Outlook Web Access, see Active Directory Federation Services and Deploying Federated Applications.

Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

Procedure

To use the Exchange Management Console to configure Outlook Web Access to have no authentication method

  1. In the Exchange Management Console, click Server Configuration, and then click Client Access.

    Note:
    To enable Outlook Web Access to accept anonymous access, you must disable all forms of authentication.
  2. On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use anonymous access.

  3. Click the Authentication tab.

  4. Select Use one or more of standard authentication methods.

  5. Do not select an authentication method. If any authentication method is selected, click the check box to clear it.

  6. Click OK.

  7. You will receive a warning that you have not chosen an authentication method and that directs you to use the Exchange Management Shell to set an authentication method. Click OK to close the warning.

  8. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

To use the Exchange Management Shell to configure Outlook Web Access to have no authentication method

  1. Open the Exchange Management Shell on the Client Access server that is hosting the Outlook Web Access virtual directories that you have to configure.

    Note:
    To enable Outlook Web Access to accept anonymous access, you must disable all forms of authentication.
  2. To disable forms-based authentication on the /owa virtual directory and the site named Default Web Site, run the following command.

    Copy Code
    Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$false
    
  3. To disable all forms of standard authentication on the /owa virtual directory and the site named Default Web Site, run the following command.

    Copy Code
    Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -WindowsAuthentication $false
    Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -BasicAuthentication $false
    Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -DigestAuthentication $false
    
  4. When the last active authentication method has been disabled, you will receive a warning that no authentication method is specified for the virtual directory and telling you to use the Set-OwaVirtualDirectory cmdlet to specify an authentication method. Ignore this warning.

  5. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

After you have disabled all forms of authentication on an Outlook Web Access virtual directory by using the Exchange Management Console or the Exchange Management Shell, you must use Internet Information Services (IIS) Manager to enable anonymous access on that virtual directory in IIS.

To use IIS Manager to enable anonymous access on a virtual directory

  1. Open IIS Manager.

  2. Navigate to the Web site and virtual directory for which you disabled all authentication methods in the previous steps. In a default configuration, this directory will be at Web Sites\Default Web site\owa.

  3. Open the properties of the virtual directory, and then click the Directory Security tab.

  4. Under Authentication and Access Control, click the Edit button.

  5. Select Enable Anonymous Access.

  6. Click OK two times to save your changes. You may receive an Inheritance Override warning. Click OK to close the warning.

  7. Restart IIS by opening a Command Prompt window and typing the command iisreset/noforce.

For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For More Information