Outlook Web Access (OWA) can work on a server directly available from the Internet or a server concealed by a proxy. If you have the latter setup, you need to watch out for potential OWA authentication issues.
One 'gotcha' regarding OWA behind a proxy server -- whether it's the earlier Microsoft Proxy Server or the more recent Internet Security and Acceleration (ISA) Server -- is that NTLM authentication only works over one "hop" at a time.
If you have NTLM authentication turned on at the proxy and try to access another NTLM-protected resource behind it, the authentication will fail.
The solution is to switch the proxy over to Basic authentication (over HTTPS when possible), and set any resources behind it that need to be protected to NTLM.
OWA is the most important element in this scenario, because it's the one that depends most heavily on the client's authenticated credentials.
Not all access to or through the proxy itself necessarily has to be secured, as long as what's behind it is secured properly. But you do need to make sure everything accessible through the proxy via Basic authentication is locked down.
This OWA authentication issue also appears if you're working with a multi-tiered application that uses a Web service, whether or not it's behind a proxy.
If you try to use NTLM authentication in a regular ASP/ASP.NET application, this isn't a problem, since there's only one "hop" for the credentials to traverse.
However, if you're using that in conjunction with a Web service, that's another "hop" that NTLM can't traverse. In such a case, the Web services should probably be run in a trusted-process model rather than using impersonation, which reduces the number of "hops" over which the client credentials need to be passed.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.
MEMBER FEEDBACK TO THIS TIP
Does this problem apply to Outlook 2003 OWA form-based logon?
—Andy C.
******************************************
As far as I know this also applies to Outlook 2003 OWA form-based logon, since the problem is a server-based issue.
—Serdar Yegulalp, tip author
Do you have comments on this tip? Let us know.
Related information from SearchExchange.com:
FAQ: Outlook Web Access administration
Learning Center: Troubleshooting Outlook Web AccessExpert Advice: How enabling SSL for OWA affects bandwidth
Expert Advice: Configuring IIS to authenticate OWA users
Reference Center: Exchange Server authentication tips
Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.
