Windows Advisor

Securing OWA with Forms-Based Authentication

Make remote e-mail readily accessible to users through the Web, but do it securely with form-based authentication.

• By Zubair Alexander
• 06/26/2006

Exchange Server 2003 offers a feature called "form-based authentication" that can make your Outlook Web Access more secure. When you enable this authentication method, OWA stores the user’s name and password in a cookie, rather than client’s browser. After a certain period of inactivity, the cookie is automatically cleared. This offers better security because the user’s credentials are not cached on the client’s computer. The credentials are only valid for the duration of the session and there’s no "Remember my password" option available to the client.

To configure form-based authentication in Exchange, go to the Properties of the Exchange Virtual Server (see Fig. 1) and check the box "Enable Forms Based Authentication." Optionally, you can also select a Low or High level of compression. The main difference between High and Low compression is that High compresses both static and dynamic pages, while Low only static pages. However, to avoid putting extra loads on your server you should not select this option if you only have one Exchange Server in your environment.

Tech Help—Just An E-Mail Away Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

You need to restart the IIS service after you enable forms-based authentication by simply typing iisreset at the command prompt.

Once you’ve enabled form-based authentication, you might also want to configure the time-out value for cookie authentication. With OWA, clients can select one of the two security options:

• Public or shared computer The default option is ideal for kiosks or other computers that are in a shared environment. The user session will time-out after 15 minutes of inactivity with this option.
• Private computer Useful when clients don't share their computers with others and desire a longer session time-out value. Select it and the cookie will last for 24 hours before it's cleared.

You can change the default time-out values by modifying the registry. There are two settings in the registry for clients: PublicClientTimeout and TrustedClientTimeout. The first value refers to the "Public or shared computer" security option on the OWA logon screen, which defaults to 15 minutes. The second value refers to the "Private computer" security option, which defaults to 24 hours.

Here are the two registry settings that can be added. The values are set in minutes between 1 and 43200 (i.e. 30 days). If the PublicClientTimeout and TrustedClientTimeout registry values do not exist then OWA uses the default values mentioned above.

Registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeWeb\OWA

Value name: PublicClientTimeout
Value type: REG_DWORD
Value data: Between 1 and 43200
Base: Decimal

Value name: TrustedClientTimeout
Value type: REG_DWORD
Value data: Between 1 and 432000
Base: Decimal

To set a cookie time-out value of 36 hours for "Private computer," you use a value of 864 (see Fig. 2). You need to restart the W3SVC service after you make these registry modifications. You can type net stop w3svc and net start w3svc at the command prompt to restart the service.

Figure 1. Configuring forms-based authentication for OWA.

Figure 2. Modifying client session time-out value in registry.

If you're using Microsoft’s Internet Security and Acceleration Server 2004 and want to publish an OWA server on your private network, you can use forms-based authentication for Exchange Server 2003, Exchange 2000 Server, and Exchange Server 5.5. Here’s the procedure for configuring idle session time-out for OWA clients in ISA Server 2004:

1. Open ISA Server Management console.
2. Click on Firewall Policy. [For Enterprise Edition, go to the properties of the array and click Firewall Policy. For Standard Edition go to Server_Name and then click Firewall Policy]
3. On the Toolbox tab click Network Objects.
4. Expand Web Listeners and select the Web Listener you are working with.
5. Double-click the Web Listener and on the Preferences tab click Authentication.
6. Ensure that OWA Forms-Based authentication is selected and click Configure.
7. Under Idle Session Timeout, configure the idle time-out values for Clients on public machines and Clients on private machines as appropriate for your environment.
8. Save the configuration in ISA Server Management console.

If you have a front-end/back-end server environment, make sure that you only enable forms-based authentication on the frontend -- do not enable this feature on the backend. If you are not using a front-end server, then enable forms-based authentication on the mailbox server. Check out Microsoft’s Knowledge Base article 830827, "How to manage Outlook Web Access features in Exchange Server 2003," for more information on this topic.

Whether you are using forms-based authentication or not, OWA should always be secured with Secure Socket Layer (SSL) to ensure data is transferred securely across the Internet. Fortunately, you can’t configure forms-based authentication unless SSL is enabled. Forms-based authentication offers administrators additional security by storing the user’s name and password in a cookie, rather than client’s browser. You can control the session time-out value by modifying the registry for public and private computers. This allows you to manage the period of inactivity on client’s computer before the session cookie is automatically cleared.