How to use forms-based authentication in Exchange 2003 without the need to use SSL?
SolarWinds Firewall Security Manager (FSM) reduces the risk of data loss and external threats.
Other benefits include:
• Automate auditing & reporting
• Leverage over 120 standards-based security checks
• Detect high risk firewalls in minutes
• Expose hidden network vulnerabilities
Forms-based authentication (or FBA for short) is a mechanism in Exchange 2003 Outlook Web Access that allows the user to have a more customizable experience of the OWA logon page and usage.
By default, FBA requires that Secure Sockets Layer (SSL - i.e. HTTPS) be configured on your server running IIS. For debugging and testing purposes, Outlook Web Access offers a way to enable FBA through normal HTTP.
Follow the steps outlined in the Configuring Forms-Based Authentication in OWA and Exchange 2003 article on general instructions on how to configure FBA.
To configure forms-based authentication to work without SSL for your development environment:
-
Open Registry Editor.
-
Go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb |
-
If it does not exist, manually add an OWA subkey to this key.
-
Under the OWA subkey, add a DWord value named AllowRetailHTTPAuth and give it a value of 1.
-
Quit Registry Editor.
To test your configuration, open your web browser and navigate to http://server/exchange. Notice that you ARE able to make the connection, although FBA is in use.
Note: I do not recommend using this configuration on a production server because of the security issues involved.
Related articles
You may find these related articles of interest to you:
-
Configure Web Access to Newsgroups Hosted on Exchange 2000/2003
-
Problems with Forms-Based Authentication and SSL in ActiveSync
Links
Customizing the Outlook Web Access Logon Page
