Outlook Web App (OWA) is the webmail interface for Exchange Server 2010.  Most of you will already be familiar with the acronym OWA from previous versions of Exchange Server where webmail was named Outlook Web Access.

Outlook Web App is hosted on the Client Access Server role for Exchange Server 2010 and integrated with IIS 7.  The OWA URL is typically something like this:


To connect to Outlook Web App users must authenticate first.  The OWA virtual directory can be secured using different authentication settings depending on the network environment.

Exchange Server 2010 Outlook Web App Authentication Types

There are four authentication methods available for Exchange Server 2010 OWA.  They are:

Integrated Authentication – this allows domain users who are logged on to domain computers to automatically logon to Outlook Web App.  This is useful for internal Outlook Web App access as it simplifies the logon process for domain users (they don’t need to logon once to the computer and then a second time for OWA).  However Integrated Authentication is not suitable for remote access by people using non-domain member computers, or people who are connecting via proxy servers.

Basic Authentication – this uses the HTTP protocol to send the logon credentials to the server.  Because the credentials are sent “in the clear” the use of SSL is highly recommended for securing them.  Also, because Basic Authentication credentials can be cached in web browsers it is recommended to use an additional authentication factor (eg a one-time password from a token) to prevent unauthorized access from public kiosk computers using the cached credentials.

Exchange Server 2010 Outlook Web App Authentication Settings
Logon dialog box for Outlook Web App using Basic Authentication

Digest Authentication – this method solves the problem with Basic Authentication where credentials are sent “in the clear” by sending a hashed password instead.  Digest Authentication also works through a proxy server unlike Integrated Authentication.  However Digest Authentication does have some other configuration requirements, such as the use of reversible encryption for password storage in Active Directory.  These may make it an undesirable option for many organiztions.

Forms-Based Authentication – this method uses a sign-in webpage on the server to collect logon credentials.  as with Basic Authentication the use of SSL with Forms-Based Authentication is highly recommended to protect the user credentials.

Exchange Server 2010 Outlook Web App Authentication Settings
The Exchange Server 2010 OWA Logon Page

Forms-Based Authentication has three additional configuration options for how the user credentials are submitted.

  • DomainUsername – users enter their credentials in the format DomainUsername, using either the NETBIOS or FQDN for the domain name.
  • User Principal Name (UPN) – if this option is chosen only users who have a UPN specified that matches their email address will be able to logon to Outlook Web App.
[PS] C:\>Get-Mailbox "alan reid" | fl name, userprincipalname, primarysmtpaddress

Name               : Alan.Reid
UserPrincipalName  : Alan.Reid@exchangeserverpro.local
PrimarySmtpAddress : Alan.Reid@exchangeserverpro.local
  • Username Only – with this option the Exchange administrator specifies a default domain for OWA logons, and users in that domain can logon with username only.  Users in other domains must still use DomainUsername.
  • Configuring Outlook Web App for Integrated Authentication

    In this example the Exchange Server 2010 OWA virtual directory is being configured for Integrated Authentication.

    Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

    Exchange Server 2010 Outlook Web App Authentication Settings
    Configuring an Exchange Server 2010 OWA Virtual Directory

    Select the Authentication tab.  Choose Use one or more Standard Authentication Methods and tick the Integrated Windows Authentication box.

    Exchange Server 2010 Outlook Web App Authentication Settings
    Enabling Integrated Authentication for Exchange Server 2010 OWA

    Click OK to apply the change.

    To perform the same configuration using the Exchange Management Shell run this command.

    [PS] C:\>Set-OwaVirtualDirectory "EX3owa (Default Web Site)" -BasicAuthentication $false -WindowsAuthentication $true -DigestAuthentication $false

    You will notice that three settings were specified in the command. This is because Basic, Integrated, and Digest Authentication can be enabled concurrently so that the OWA virtual directory supports multiple authentication methods. Because of this you should explicitly configure the authentication methods the way that you intend them to be set, rather than modifying only a single authentication method.

    Configuring Outlook Web App for Forms-Based Authentication

    In this example the Exchange Server 2010 OWA virtual directory is being configured for Forms-Based Authentication.

    Using the Exchange Management Console navigate to Server Configuration -> Client Access, and choose the server you wish to configure.  Select the Outlook Web App tab, then right-click the OWA virtual directory and choose Properties.

    Exchange Server 2010 Outlook Web App Authentication Settings
    Configuring an Exchange Server 2010 OWA Virtual Directory

    Select the Authentication tab.  Choose Use forms-based authentication and then choose a logon format, in this example User name only.

    Exchange Server 2010 Outlook Web App Authentication Settings
    Configuring Forms-Based Authentication for Exchange Server 2010 OWA

    Click OK to apply the change.

    To perform the same configuration using the Exchange Management Shell run the following command.

    [PS] C:\>Set-OwaVirtualDirectory "EX3owa (Default Web Site)" -FormsAuthentication $true -LogonFormat UserName -DefaultDomain exchangeserverpro.local

    Other Steps When Changing Outlook Web App Authentication Settings

    You will notice as you modify OWA virtual directory authentication settings that two additional steps are usually required:

    • Resetting IIS – this is required any time you switch to or from Forms-Based Authentication.  From a command prompt window run the following command:
    iisreset /noforce
  • Modifying the ECP virtual directory – ECP stands for Exchange Control Panel and is the self-service web portal for end users to make changes to their mailbox, distribution lists they manage, and some other items.  The authentication method for this virtual directory should be configured to match the OWA virtual directory.
  • About the Author

    Paul Cunningham

    Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.


    1. Hamzah

      Hi Paul,
      I want to have SSO internally in the domain and Form login externally.
      How can I achieve this, when I enable Windows Intergrated authentication, external users can no longer see our customized login page.


      1. Hamzah

        forgot to mention: Using Exchange server 2019 in a DAG config.

    2. Shanavas

      Hi Paul

      I’m using exchange 2010 2 cas and 2 mbox server,
      when i logout owa it showing ” The requested resource is not available”, this issue only when sign out from outside

      pls help

    3. haider

      Hello MR.Paul Cunningham

      I’m using exchange 2010 when I login usin owa with user@enternal domain.Local this work but when I using user@external domain.com i can not login an this message showed T”he user name or password you entered isn’t correct. Try entering it again.”
      pls help

    4. farooq

      @all @Paul,

      What Authentication we must have on Ex2010 for remote move to Exchange online.

    5. Anthony

      Great tutorial. I have having an issue where I am getting the dialog box instead of the OWA login page. Even after I verified that Forms-Based authentication is enabled for OWA and ECP and restarting IIS, its still seems like its doing Basic Authentication. I also verified that the Exchange Server Form Based Service is started and has a startup type of Automatic.

      1. Avatar photo
        Paul Cunningham

        Any reverse proxies or other network devices that might be doing pre-auth?

    6. Roger

      Hi Paul

      we have 2 domains A.local and b.local ther is an ad sync between A.local and b.local.
      Mailboxes are in b.local linked to the a.local. (Migrationphase)
      Allworks fine except Passwordchange in OWA. The username is always fixed to the b.local ad Account.
      How can this be changed that user can enter username or change it to a.localuser?

      Regards Roger

    7. Mahbod

      Our exchange site have 2 mailbox and one CAS for internal outlook access and also we publish it behind the firewall. our active directory domain name is Cont.int but our valid external domain is conttcc.com . that make a big problem for us because we buy the external certificate on owa.conttcc.com for external OWA client and mobile from a certificate athority with SAN as same as owa.conttcc.com and internal certificate is by own certificate. that makes a big problem because when we add the external certificate to the client access server our outlook show the certificate problem name.
      Server name : ex2.cont.int
      external link access : owa.conttcc.com

      Thanks For your kindly guide

      1. Avatar photo
        Paul Cunningham

        You can change the namespaces/URLs for internal access to owa.conttcc.com as well. You just need to make sure that DNS is correctly set up (usually split DNS is deployed for this).

    8. Syed Ahamed

      Hi Paul,

      Thanks for your valuable post.

      I have requirement like this.please help me to get solution

      Scenario :

      User logged with his windows credentials, opening mail from intranet (there is a mail icon in our intranet page).Mail is opening no issue.Now user logged out from intranet (not windows) and another user logged in the intranet.Click the mail icon again ,its opening previous user mail account (who logged in windows pc).It should open from current user for intranet site.How can i achieve this.?
      Please give me any idea.

      1. Avatar photo
        Paul Cunningham

        The problem is that logging out of your intranet doesn’t log the person out of Outlook web access.

        Either your users need to log out of Outlook web access, or they need to stop sharing Windows login sessions.

        1. Syed Ahamed

          Thanks for your reply.

          I just changed OWA settings from Windows authentication to Form Based authentication.It works fine.But If i close and open browser again,its asking credential again.Is it possible to get credentials every time directly from intranet site? instead of giving manually?

          1. Avatar photo
            Paul Cunningham

            No, forms based auth means they will be manually entering their credentials each time they log on to OWA.

    9. Syed Safi

      How to configure the Exchange 2010 to access from the outside company network.

    10. Jay

      Is there any issue to enabling Anonymous Authentication in IIS for OWA if we are planning to use RSA Authentication Agent?

        1. Jay

          For Single Sign On utilizing the RSA Authentication Agent, requires both anonymous authentication and windows authentication to be enabled on IIS.

          ftp://ftp.rsasecurity.com/pub/agents/WebAgent_IIS.pdf (page 71)

          Part of me is always hesitant in enabled Anonymous, but part of me thinks because it is behind the RSA token code/web app/security it would be ok.

    11. Srik

      Hi Paul,
      i am just a newbie practising exchange server 2010, I have installed it, created DB and mailboxes, and when itried logging into Exchange server using OWA, it is flashing me with the same screen of username and password, but the credentials are correct since local login is successful with the same credentials.. is there a default authentication setting or do we need to authenticate users before going to OWA..?

    12. Amit

      I want to know about username only option. If I have user in child domain, do they need to enter the domain name or it work with username only.

    13. Irshad Ahmed

      Dear Mr.Paul,
      My organization current OWA access is to integrated windows authentication and also Basic Authentication (Password is sent in clear text).
      A requirement now is that if I am connected to the company network, I shouldn’t need to enter credentials, it should automatically do a Single-Sign-On to OWA. If I’m not on the network, I should be prompted for credentials, as is working now.
      But currently when I open owa URL they prompted domainuser name.
      Which settings required for SSO in OWA.?

    14. Derik

      Thanks man!
      It helped me resolve problems with Virtual Directory ECP.
      To access “See all Options” in OWA he required authentication popup.

    15. Milton Lopez

      Sorry – forgot to check “Notify me of followup comments via e-mail” in may previous post.

    16. Milton Lopez

      Hi Paul – thanks for all the great posts. After reading all the above and other posts on this topic, I’d really appreciate a summary of what criteria should be used to configure the authentication methods for each of the Exchange virtual directories, and how they relate to each other. I realize that the choice of auth methods depends the requirements for each organization, but I have yet to find clear coverage on how to translate those requirements into a specific set of auth methods for each and every one of the virtual directories. The information I have gathered so far is rather scattered and largely based on specific examples for each of the virtual directories. This makes it difficult to understand why and how to fully configure a server. I look forward to your reply.


    17. Cesar Perez

      Hi Paul, excelent your Page congratulaions.

      I hope you can help me,

      I have one Domain CONTOSO.COM, i have 1 Server with only Rol CAS and i have 3 Servers with the Rol CAS, MAIL, and CLIENT ACCESS.

      when i access to OWA dor Internet, I can view my page OWA, when I put my user and password I can acess without trouble.

      My Accouns this in The Server 01, but when I put other Acoount that is in other Server (Example Server 02) I get an Error that CANOT FIND THE SERVER SERVER 02

      I tried configure the redirecction in the IIS, but appears the same error.


      Note: Sorry for my English.

      1. Avatar photo
        Paul Cunningham

        You shouldn’t need to do anything in IIS for this to work.

        All of the CAS in the same AD Site should have the same external URL configured on their OWA virtual directory. Ideally you would also load balance them. Either way, when you hit that OWA URL the CAS should be able to access the mailbox on any server within the site.

    18. Casey Thompson

      I had an issue in our organization where users were not able to delete or move emails using OWA. The only two changes I had made to our Exchange servers prior to this issue surfacing was updating the SSL certificate and updating all of our Exchange servers with RU5 for Exchange 2010 SP3. I had racked my brains trying different troubleshooting steps and reading through many forums. It turned out that the issue centered on an authentication setting in the ECP virtual directory. The anonymous authentication setting was set to enabled. I change this setting to disabled to match the setting for the OWA anonymous authentication setting. Once completing that task and then restarting IIS on both of our CAS servers, the issue was resolved and users were once again able to delete emails and move emails to different folders in OWA. The error that popped up when the issue was happening stated that a configuration on the server was incorrect and to contact the IT department. Hope this information is helpful to someone else who may be struggling with this issue. As always, thanks to Paul for another great article on an important topic in Exchange.

    19. Deanne Barton

      Hi Paul

      We are using Forms-based authentication with User name only, therefore users have to use their domain log in credentials. As we set up users for EAS as well is it possible to use both Domain or UPN or can it only be one or the other?

    20. Matt

      Paul – the problem I am running into is that i am going to create generic users because our staff tends to play musical chairs way too much, which causes my support to setup multiple profiles in outlook. The plan was to use a generic login and then have them go to owa for their email. major problem with that because we have multiple web apps that we have to log into and if they logout of owa it kills authentication cache, which kills my other apps – if you are running one instance of IE. two instances it’s fine but I might as well talk to a wall explaining this to my generic users. firefox works but our web apps won’t run on FF because the apps were written crappy. Do I create an internal site using basic authentication and leave the external forms based. I have smartphones so I do not want to screw that up but pretty sure activesync takes care of that or is it tied to it somehow. Thanks

      1. Avatar photo
        Paul Cunningham

        I’m baffled by your scenario. I understand you’re the one dealing with it directly so it probably makes sense to you.

        A user can login to a domain workstation with their account and Outlook will autodiscover and autoconfig their profile settings for them. What need is there for support to set up new profiles every time a user moves?

        Generic logins are a bad idea from a security perspective and pointless if they are just going to login to their own mailbox afterwards anyway (see comment above).

        I have no idea why logging out of OWA logs out your other apps. It has never happened to me so perhaps there is something specific about your situation that Microsoft Support could assist you with.

        1. Steve Hodges

          Paul – The OWA issue of logging you out of other web apps is the same thing I asked you about back on 2/18; seems to be an IE issue with shared sessions, when you open OWA in another tab and login, logging out of OWA loges you out of everything in that session but if you launce a new instance of IE to log into OWA everything works fine. I have tried this with multiple web sites and OWAs.

          1. Yuriy Shikhanovich

            I’ve ran into the same issue. It seems to wipe out session cookies when it logs out. Have you found any way around it?

    21. Tony

      Hi I am using exchange 2010 from my firewall I have forwarded port 443 https tragic to my exchange server to be more secure we want user first authenticate (Reverse proxy) and then Owa page open for authentication as Tmg is endof life what solution is available ?

      1. Avatar photo
        Paul Cunningham

        There are other load balancers and edge devices that can do pre-auth. Kemp, F5…

    22. Kayla

      I have set up 2 OWA sites, one with Windows Integrated Authentication and one with Forms Based. We are running the WIA site under a service account but it seems Exchange can’t handle that. Kerberos works fine (confirmed in info screen) but attachments can’t be previewed because the temporary folder that is used to store the attachments during viewing is set to allow access to the system account only. Have you ever come across this issue and if so, do you happen to know how to solve it?

      1. Marjolein

        Hi Kayla,

        We encountered the same problem when we were using a service account. What you can do is use alternate service credentials in Exchange 2010. That way the IIS service can run with the system account while everything else works with the service account (see my reply in this thread on April 17, 2013 at 10:24 pm).

        Hope this helps,

    23. Steve Hodges

      Having problems with OWA – log into any website, then open and log into OWA, then logout of OWA; all your other websites are also logged out. Please help!

        1. Steve Hodges

          When you go to a website, any site, and log in; bank, insurance, irs, any websites you have logons for, I even tried with multiple sites at the same time. with these sites open and logged into, you open another IE tab or window, connect to the OWA server and login, check your e-mail, and logout of OWA; switch to your other windows and / or tabs and you find you are magically logged out of all your sites. I have confermed this with multiple websites on multiple computers on multiple domains and with multiple OWA servers.

        2. Steve Hodges

          Looks like it is related to the shared sessions (tabbed browsing) in Internet Explorer because if I use a new IE session for my OWA, logging off doesn’t affect my other websites. I still think OWA is doing something different because logging off my bank or insurance sites don’t log me off of everything else. Please let me know if you’ve found a solution; perhaps a setting on the Exchange server or in IE.


    24. Lee

      I want to let some users wont dont join domain which Authentication should i use?

      Many thanks!

      1. Avatar photo
        Paul Cunningham

        Forms-Based Authentication is probably going to be the most user-friendly in that scenario.

    25. Mat

      With IIS advanced logging enabled, i can track successful OWA attempts with the client IP address.

      However with failed OWA attempts it throws an information in the security log of event viewer (4625 ID), but here it does not display the source ip or the client IP.

      What do i need to do to allow tracking of bad attempts of OWA logon in IIS advanced logging ?

      Thank you Sir

    26. Rajen

      I am still having a problem where outlook suddenly prompts users for Passwords.
      Noticed that at that particular moment it is trying to connect via HTTP (Webmail server). what authentication settings should i use so that outlook on the LAN will connect automatically (if it tries to connect to my Webmail server rather than the local CAS) and users externally will be prompted for credentials when trying to connect to outlook anywhere.
      Although i have removed both tick from the check boxes within the outlook exchange proxy settings as below

      On fast networks, connect using HTTP first, then connect using TCP/IP
      On slow networks, connect using HTTP first, then connect using TCP/IP

      But outlook on the LAN still attempts to fail-over to connecting to the Webmail server and prompting for a Password.

      I am also using basic authentication in my Exchange proxy settings

      Please assist / advise

      1. Avatar photo
        Paul Cunningham

        My guess is your OWA namespace (URL) and Outlook Anywhere namespace are the same.

        I think what you’re seeing is Outlook clients failing to make a direct TCP/IP connection and attempting an Outlook Anywhere connection.

        With Outlook Anywhere configured for Basic authentication it is quite normal to see an authentication prompt appear.

        1. Rajen

          thank you for the reply.

          MY OWA name space and Outlook anywhere name space are correct.

          You are exactly right with the clients trying to use outlook anywhere when they may detect a slow or no LAN connectivity.
          But how do i get PC’s on the LAN to seamlessly make that connection without prompting for a password.

          My OWA settings on my 2 CAS servers on the LAN are using Windows Authentication. So in theory they should not prompt for a password on the LAN…. ????

          And my actual OWA server is configured for Form Based Authentication so that users externally are prompted for a Password.

          1. Avatar photo
            Paul Cunningham

            “My OWA settings on my 2 CAS servers on the LAN are using Windows Authentication”

            Shouldn’t be relevant. Outlook Anywhere is what they’re trying to use.

    27. joang

      Please help

      cannot download or view attachment from OWA (using exchange server 2010) comment bad request – 400

    28. Eddie

      I have a problem getting the password reset tool for exchange 2010 working.

      My settings:
      Name : owa (Default Web Site)
      InternalAuthenticationMethods : {Basic, Fba}
      LogonFormat : UserName

      Name : ecp (Default Web Site)
      InternalAuthenticationMethods : {Basic, Fba}

      When accessing the owa site with a user that has its password expired, I get no error just a new login page.
      Any ideas on where to start looking?

    29. Leng

      Hi Paul,

      interesting reading.Authentication method used in IIS and Exchange/Outook is always confusing,so never sure what to set.
      I have a issue that every time i start outlook at Internal network,it always ask me for credential.If i close outlook and start again it doesn’t ask for credential.This only happens when i start my computer in the morning.
      Is this problem iisauthentication error (since its set to Basic),or do you think this problem is elsewhere?
      Weird part is that not everyone in the office is having this problem.Running multiple version of win 7,win8 and Outlook 2010/2013.
      Have seen this problem occurred for the others, 2 weeks before password expires and user have to renew their password.After they renew their password its fine.
      Me i have renewed password without any help.


    30. Karthik

      we have Exchange 2010 setup, how do i configure different passwords for domain user account and OWA.
      when ever i change the user password in AD, the same is being applied to OWA, which i don’t want. user should have two different passwords. Now i am using Integrated Authentication. please help.

      1. Avatar photo
        Paul Cunningham

        Exchange uses Active Directory for identity and authentication. There is not a separate Exchange password.

    31. Aidan

      Hi Paul,

      Is there a way to stop the login prompts when users are logging in from an untrusted domain?

      Users are logging in from as so:


      Autodiscover service is being found, but prompts for the password. Once accounts are setup the users are prompted for login details every time they open outlook.

      I have been able to resolve some users issues by using credentials manger in windows 7…but half the people on our network are still on XP/outlook 2007 (dont ask… :/ this is the environment i inherited…)

      If you could help me out here i would kiss you…or at the very least buy you a pint 🙂

      Kind regards,

    32. Thomas


      We have 2 CAS,HT server.Able to login to owa and able to send mails.But when connecting to CAS2/owa and click on new message getting error as Your network connection is unavailable.Please reconnect and try again.Servers are in HLB.

      Thank you,


    33. ahmed

      Hi Paul. First off thanks for your articles and KB’s, they make my life easy. My question is, I have multiple domains in a single forest and exchange 2010 environment. We have many companies which have different domains in our exchange, most of the companies have finance@company.com. All of them want to use same logon username, As of now we are giving them different logon names with desired email addresses ex: finance@company.com & finance@company2.com. Is there a way to achieve same logon username for all the domains by make any changes on AD or exchange

    34. Brian Rota

      In Exchange 2003 if you have integrated configured and you logged on a PC without a mailbox you are prompted to fallback to basic and you can enter a username and password.
      In 2010 now these users get notified that the mailbox does not exist with no option to log in again.
      I have some generic computers that are logged on with accounts that do not have mailboxes. I know I can take the url out of the intranetzone but the customer is not sure of where all of the machines so a GPO may be tough.
      Is there a way to make 2010 to just reprompt for authentication if the logon account does not have a mail box like 2003 did?

      Thank you

    35. Marjolein


      I have set up 2 OWA sites, one with Windows Integrated Authentication and one with Forms Based. We are running the WIA site under a service account but it seems Exchange can’t handle that. Kerberos works fine (confirmed in info screen) but attachments can’t be previewed because the temporary folder that is used to store the attachments during viewing is set to allow access to the system account only. Have you ever come across this issue and if so, do you happen to know how to solve it?

      Kind regards,

        1. Marjolein

          Hi Paul,

          Here’s my reasoning:
          – an SPN needs to be set on the A-record at which the site is addressed
          – for linux machines to work well with kerberos, a corresponding PTR record needs to exist as well
          – the Exchange hosts reside in a HLB configuration
          * conclusion: the webmail address needs it’s own A- and PTR record set to an address assoicated with the HLB and the SPN needs to be set at that record.
          Am I missing something?

          1. Marjolein

            We use Linux clients as well and they don’t use OWA for accessing their mail. Meanwhile I figured it out: you don’t have to use a service account on the virtual folders as I have done in the past (in 2007 there is no other way) but you should use the “alternateserviceaccountcredentials” switch with set-casarrayserver to have Exchange run under the service account. More information can be found in articles Using Kerberos with a Client Access Server Array or a Load-Balancing Solution (http://technet.microsoft.com/en-us/library/ff808313.aspx) and Configuring Kerberos Authentication for Load-Balanced Client Access Servers (http://technet.microsoft.com/en-us/library/ff808312.aspx).

    36. Kirld

      Hi Paul,

      I have researched over the internet if it is possible.

      is it possible to restrict some users from accessing OWA on the public Internet? but have them access only on internal Network? If we are to disable OWA’s external access, all users will be affected, we only want to restrict some users but not all.

      Is it possible?

      Thanks in advance.

    37. Varun Sharma

      We installed a new Exchange server 2010 , setup is full loaded but when we open a OWA and enter the user name so it will not redirect to me webmail it shown the default owa webpage again.Kindly Help me out to resolve the issue even we already try with domianuser name & user name but it will not re-direct to me webmail.

      Kindly reply with solution.

      1. Avatar photo
        Paul Cunningham

        You should check the OWA virtual directory configuration in the Exchange Management Console and see which user name format it is configured to accept.

        1. Varun Sharma

          I checked all the settng but it did not work..

    38. Martin Berard

      We also would like if any succeeded in setting up en environement with integrated auth for internal use and form based for external users.

      Is it possible to install 2x OWA on the same server with different authentication settings and using virtual host such as: mail.mycompany.local vs mail.mycompany.com?


    39. Simon Payne

      Hi Paul

      I have enabled integrated windows authentication only and am still being prompted with a windows popup box.
      Exchange 2010 on Windows 2008 R2.

      We use TMG Server for external use that works fine with Forms based authentication done by TMG.
      But internally I would either like single sign on or forms based.
      But we cannot set OWA to forms based as it will ask for authentication twice – TMG and Exchange.

      any ideas?


    40. Sameer


      i need to know how to configure integrated windows authentication for internal users and FBA for external users.

      thanks alot

    41. gary

      We too have the same issue as brodiemac…

      1. gary

        i managed to fix this in the end by changing auth settings in IIS..

        1. Irshad Ahmed

          how you solve changing in IIS? please guide in detail..

        2. Irshad Ahmed

          which Auth. setting you changed in IIS??

    42. Brodiemac

      I have everything setup according to this article. I was prompted to also change ECP and restart IIS which I did but we are still not getting Integrated Windows Authentication to work. It is still prompting for the input of username/password. Any ideas?

      1. Avatar photo
        Paul Cunningham

        If you’re using Integrated auth and you expect it to automatically login without prompting for credentials you need to make sure that the OWA URL is included in one of the Internet Explorer security zones where automatic login is enabled (usually either Trusted or Intranet zones will do it).

        1. Brodiemac

          We have that URL setup in the Trusted Zone in one of our group policies and yet people are still being prompted for login credentials.

          1. taylor

            hi I am running into the same issue where “integrated” security is selected but users are still getting prompt. how did you resolve the prompt issue?

    43. Chris

      I should have known … the best info i found regarding authentication issues was right here, where i already subscribed to 🙂

      Thanks Paul

    44. Chetan

      Our current OWA access is to Forms Based Authentication.

      A requirement now is that if I am connected to the company network, I shouldn’t need to enter credentials, it should automatically do a Single-Sign-On to OWA. If I’m not on the network, I should be prompted for credentials, as is working now.

      Questions: Can OWA be configured with Windows Integrated Autrhentication for (internal ot network connected) users and also have other authentication (I’m thinking Digest, for security) so accessing OWA will prompt for credentails for external or non-network connected users?

      1. Carol Ostos

        We were using FBA for internal and planned to use it for external as well, we are now setting up Outlook Web App externally with TMG + RSA so we have changed the internal authentication method to Basic and Windows Integrated, so internally we dont need credentials when using IE, you do need to provide credentials if using other browser unless you say save my credentials, which wont be ideal if your password get cached you might have failed login attempts. So for external you can def have FBA. Good luck with your setup cause we are still unable to get RSA working ;(

    45. Leo S

      all fixed now. Thanks heaps.

    46. Leo S

      Erm, I seem to have forgotten to run the first cmdlet here. will check again… Ta

    47. Leo S

      This only seems to work for the logon page, not for the settings and options within OWA. pretty pointless IMHO.

      1. Avatar photo
        Paul Cunningham

        Did you also update the ECP virtual directory settings to match the OWA ones?

        1. Leo S

          No, I just checked on the server though they all appear to have Basic auth enabled and ecp uses the same sign-in format as owa on EX mgmt console, Thanks.

        2. Avatar photo
          Paul Cunningham

          I’m not sure from your comments what you’re trying to achieve (ie which auth configuration you’re going for) or whether this is now fixed for you.

          But, if you haven’t set the OWA and ECP settings to match then I would expect you will not get the desired result.

    48. sidneyleusson

      Hello, I have now set up user authentication for basic authentication, and I want to change to authentication by form, the steps do you say in your tutorial, but it does not work, it can be, I have exchange 2010. I have to do something else in the IIS?

      1. Avatar photo
        Paul Cunningham

        If you change from Basic/Windows to Forms or vice versa then yes, you need to restart IIS (the console should tell you this when you make the change).

    49. Carol Ostos

      Having a bit of an issue with Outlook Web App. Moved some mailboxes from E2K3 to E2K10 and created new mailboxes just to see if the problem was to do with the mailbox move but seems that the problem persists regardless.

      Logon, Logoff, Error aspx pages load with no problems but seems like the browser cannot parse dll’s
      All these files are located under the auth folder.

      I have found some links that talk about adding preCondition= “bitness62” to the isapifilters (Exchange OWA Cookie Authentication ISAPI Filter and Exchange ActiveSync ISAPI Filter) found on the applicationHost file on SystemRootinetsrvconfig.

      I have performed Test-OwaConnectivity checks and I get the following

      VERBOSE: [00:03:38.762 GMT] Test-OwaConnectivity : Resolved current organization: .
      VERBOSE: [00:03:38.762 GMT] Test-OwaConnectivity : Adding a test instance for URL
      ‘https://casserverfqdn/’ specified with the -URL argument.
      VERBOSE: [00:03:39.778 GMT] Test-OwaConnectivity : [10:03:38.762] : The TrustAnySSLCertificate flag was specified, so
      any certificate will be trusted.
      VERBOSE: [00:03:39.778 GMT] Test-OwaConnectivity : [10:03:39.215] : Sending the HTTP GET logon request without
      credentials for authentication type verification.
      VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The HTTP request succeeded with result code 200
      VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The sign-in page is from Outlook Web App, not ISA
      VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : The server reported that it supports authentication
      method FBA.
      VERBOSE: [00:03:40.653 GMT] Test-OwaConnectivity : [10:03:40.575] : This virtual directory URL type is External or
      Unknown, so the authentication type won’t be checked.
      VERBOSE: [00:03:41.090 GMT] Test-OwaConnectivity : [10:03:41.028] : Trying to sign in with method ‘Fba’.
      VERBOSE: [00:03:41.090 GMT] Test-OwaConnectivity : [10:03:41.028] : Sending HTTP request for logon page
      WARNING: [10:04:03.544] : The HTTP logon request returned the non-OK result code 302 (Found).

      Continue with this operation?
      [Y] Yes [A] Yes to All [H] Halt Command [?] Help (default is “Y”): A
      WARNING: [10:04:03.544] : The test encountered an error while signing in to Outlook Web App.
      HTTP code: 302
      WARNING: [10:04:03.544] : Test failed for URL ‘https://casserverfqdn/’.

      RunspaceId : 1a842b77-bbac-459d-a629-86e1fcbb942a
      AuthenticationMethod : FBA
      MailboxServer :
      LocalSite : SYDNEY
      SecureAccess : True
      VirtualDirectoryName :
      Url : https://casserverfqdn/
      UrlType : Unknown
      Port : 0
      ConnectionType : Plaintext
      ClientAccessServerShortName :
      LocalSiteShortName : SYDNEY
      ClientAccessServer :
      Scenario : Logon
      ScenarioDescription : Sign in to Outlook Web App and verify the response page.
      PerformanceCounterName : Logon Latency
      Result : Failure
      Error : The test encountered an error while signing in to Outlook Web App.
      HTTP code: 302
      UserName : xxxxxxxxx
      StartTime : 4/13/2012 10:03:40 AM
      Latency : -00:00:00.0010000
      EventType : Error
      LatencyInMillisecondsString :
      Identity :
      IsValid : True

      VERBOSE: [00:04:08.919 GMT] Test-OwaConnectivity : Admin Audit Log: Entered Handler:OnComplete.
      VERBOSE: [00:04:08.919 GMT] Test-OwaConnectivity : Ending processing &

      Any clues? I did not want to recreate the owa and ecp virtual directories.

      Something else to mention, I tried to run the script called UpdateCas.ps1 found on the bin directory with the hope to update any missing or corrupted files but no joy!


      1. Carol Ostos

        Just an update, after my post, I have tried the following workarounds:

        a) Resetting the virtual directories for both owa and ecp. I have no issues performing these tasks, Both directories were removed and created again, I change the settings to include our externalURL but still no luck.

        b) Added preCondition= “bitness64″ to both isapifilters (Exchange OWA Cookie Authentication ISAPI Filter and Exchange ActiveSync ISAPI Filter) found on the applicationHost file on SystemRootinetsrvconfig. Reset IIS and tried both ecp and owa but still no luck

        c) Checked Exchange FBA service was running.

        I’m out of options, what can I do? Thanks!!!!

        1. Carol Ostos

          Problem solved, as the error 302 suggested it was an infinite loop, removed redirection and set it again but this time only on the Default Web Site and no on the owa directory. All good now!

    50. Jack

      Hi Paul,
      Can I use all the three ways(DomainUser, UPN, User Only) to logon OWA at the same time? I mean whatever way I choose can logon the OWA at anytime.


      1. Uwe

        Hi Jack,

        no it didn`t work because you must deside ether domainuser or only user (see above pic). The UPN is confured in ADUG at user level.


    51. Chanchal


      I am new for exchange 2010 and i have enabled form based authantication and i am using Exchange SSL.
      What changes i need to made in IIS and exchage so that users will be able to access it from outside.

      Thanks in advance
      Chanchal Sharma

      1. Uwe

        Dear Chanchal,

        Yes both is possible and run well. You must change the UPN of the user with his email address.

        Then the user can logon with his SAM- or UPN account settings without the domain.


    52. Mohamed Abdel hamid

      بسم الله الرحمن الرحيم
      thank you very much for your Tutorial
      i want ask about the best way to Outlook Web App Authentication

      i select Integrated Authentication and Digest Authentication this good and this need any more configure

      thank you again
      الله الموفق

      1. Avatar photo
        Paul Cunningham

        Hi Mohamed, what is “best” depends on your environment and how people are accessing OWA.

        Integrated Authentication is fine if you’re happy with how that works.

    Leave a Reply