How to configure Forms-Based Authentication in Exchange Server 2003 OWA
By default, Outlook Web Access (OWA) is setup to use Basic Authentication. Best practice is to configure MS Exchange 2003 to use Forms-Based Authentication (FBA) over Secure Socket Layer (SSL). This document outlines the procedure for setting up FBA over SSL start to finish.
Installing a Stand-alone Root CA
A Microsoft Certificate Server can take on one of four roles:
- Enterprise Root CA
- Enterprise Subordinate CA
- Stand-alone Root CA
- Stand-alone Subordinate CA
For our purpose, we will install a self signed Stand-alone Root CA
A self signed Stand-alone Root CA requires that Internet Information Services (IIS) be installed.
- Click Start, point to Control Panel and click Add/Remove Programs.
- In the Add or Remove Programs window, click the Add/Remove Windows Components button.
- In the Windows Components dialog box, click on the Certificate Services entry and click the Details.
- Check off Certificate Services CA checkbox, note the warning about changing the machine name and click the Yes button.
- Ensure that both Certificate Services CA and Certificate Services Web Enrollment Support checkboxes are checked. Click OK in the Certificate Services dialog box.
- Select Stand-alone Root CA
- Enter the machine name as the Common Name and click next.
- Accept the default certificate database locations.
- Click Yes on the Microsoft Certificate Services dialog box informing you that Internet Information Services must be stopped temporarily.
- Click Finish on the Completing the Windows Components Wizard page.
The standalone Certificate Server is now ready to accept certificate requests.
Creating a SSL Certificate for OWA
The CA must issue us a certificate to use for the OWA portal. In order to get the certificate we must:
- Create a certificate request.
- Submit the certificate request.
- Approve the certificate.
- Download and install the certificate.
Creating a Certificate Request
- Open IIS Management Console and expand Web Sites.
- Right click on Default Web Site and select Properties.
- Select the Directory Security tab.
- Click the Server Certificate button.
- Click Next.
- Click Next again to accept Create a new certificate.
- Select Prepare the request now, but send it later and click Next.
- Click Next to accept the default name and bit length for the certificate.
- Fill in appropriate values for Organization and Organization unit.
- For the Common Name, type in the DNS name that will be used to connect to the OWA server, usually mail.domainname.com.
- Fill in appropriate values for Country, State/province, and City/locality.
- Click Next to accept the default request file location, C:\certreq.txt.
- Click Next to confirm options.
- Click Finish to close the Wizard.
Submitting the request to the CA
- Browse to the web console of your Stand-alone CA using http://servername/certsrv
- Click Request a certificate
- Click advanced certificate request.
- Click Create and submit a request to this CA.
- Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file..
- Open C:\certreq.txt in notepad and copy all the text into the Saved Request field.
- Click Submit.
Approving the Certificate
- Click Start, click Programs, click Administrative Tools, and click Certification Authority.
- Expand the server and click Pending Requests.
- Right click the pending request and click Issue.
Downloading and installing the certificate
- Browse to the web console of your Stand-alone CA using http://servername/certsrv
- Click View the status of a pending certificate request.
- Click the link to download the certificate.
- Download the certificate as a *.cer file
- Open IIS Management Console and expand Web Sites.
- Right click on Default Web Site and select Properties.
- Select the Directory Security tab.
- Click the Server Certificate button.
- Click Next.
- Click Next to accept Process the pending request and install the certificate.
- Click Browse and navigate to your downloaded certificate file and click Next.
- Click Next to accept the default SSL port as 443.
- Click Next to accept.
- Click Finish.
Your IIS certificate has now been created and installed for the Default Web Site.
Installing the certificate to OWA
- In Internet Services Manager, in the console tree, expand servername (your local computer), and then expand Web Sites, then expand Default Web Site.
- In the console tree, right-click the Exchange virtual directory, and then click Properties.
- In the Default Web Site Properties dialog box, on the Directory Security tab, in the Secure communications area, click Edit.
- In the Secure Communications dialog box, click the Require secure channel (SSL) check box, click the Require 128-bit encryption check box, and then click OK.
- Keep clicking OK until you are completely out of the Properties dialog boxes, then close IIS.
Enabling Forms-Based Authentication
After configuring SSL on the OWA site, you now need to enable the Forms-Based Authentication on the HTTP Virtual Server in Exchange System Manager.
- Open Exchange System Manager.
- Navigate to your server object.
- Expand your server object, and expand Protocols.
- Expand HTTP.
- Right-click on the Exchange Virtual Server and select Properties.
- On the Settings tab, click to select the Enable Forms Based Authentication check-box.
- Click OK, and click OK to dismiss the warning message.
- Restart the IIS services either from the Services snap-in or from the IIS Admin snap-in.
By default, Forms-Based Authentication requires users enter their usernames as DOMAIN\USERNAME. To change this default behavior set the following:
FBA over SSL for OWA setup complete.
References
- http://www.petri.co.il/configuring_forms_based_authentication_in_exchange_2003.htm
- http://www.petri.co.il/configure_ssl_on_owa.htm
- http://www.isaserver.org/img/upl/vpnkitbeta2/installstandaloneca.htm
- http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html