OWA authentication issues when using a proxy server

Outlook Web Access (OWA) can work on a server directly available from the Internet or a server concealed by a proxy. If you have the latter setup, you need to watch out for potential OWA authentication issues.

One 'gotcha' regarding OWA behind a proxy server -- whether it's the earlier Microsoft Proxy Server or the more recent Internet Security and Acceleration (ISA) Server -- is that NTLM authentication only works over one "hop" at a time.

    Requires Free Membership to View

If you have NTLM authentication turned on at the proxy and try to access another NTLM-protected resource behind it, the authentication will fail.

The solution is to switch the proxy over to Basic authentication (over HTTPS when possible), and set any resources behind it that need to be protected to NTLM.

OWA is the most important element in this scenario, because it's the one that depends most heavily on the client's authenticated credentials.

Not all access to or through the proxy itself necessarily has to be secured, as long as what's behind it is secured properly. But you do need to make sure everything accessible through the proxy via Basic authentication is locked down.

This OWA authentication issue also appears if you're working with a multi-tiered application that uses a Web service, whether or not it's behind a proxy.

If you try to use NTLM authentication in a regular ASP/ASP.NET application, this isn't a problem, since there's only one "hop" for the credentials to traverse.

However, if you're using that in conjunction with a Web service, that's another "hop" that NTLM can't traverse. In such a case, the Web services should probably be run in a trusted-process model rather than using impersonation, which reduces the number of "hops" over which the client credentials need to be passed.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.


Does this problem apply to Outlook 2003 OWA form-based logon?
—Andy C.


As far as I know this also applies to Outlook 2003 OWA form-based logon, since the problem is a server-based issue.
—Serdar Yegulalp, tip author

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

  • FAQ: Outlook Web Access administration
  • Learning Center: Troubleshooting Outlook Web Access
  • Expert Advice: How enabling SSL for OWA affects bandwidth
  • Expert Advice: Configuring IIS to authenticate OWA users
  • Reference Center: Exchange Server authentication tips

    Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.

    This was first published in June 2006

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.