Forms-based Authentication & Windows Integrated Side by Side

Having your cake and eating it too!

For OWA,  Exchange 2007 (by default) lets you have either Forms-based authentication or Windows Integrated Authentication but NOT both simultaneously – side by side as it were! Actually that’s not quite true – it looks like you can set the /Exchange virtual directory (on the Client Access Server) to use FBA and the /owa virtual directory to use WIA and it ‘does the right thing’! However, if you set /Exchange to WIA and /owa to FBA the /owa virtual directory will succeed but the /Exchange virtual directory will fail miserably (repeatedly prompting for credentials).

Why is this a problem and why on earth would you want WIA and FBA side-by-side?

We want WIA & FBA side-by-side because we have loads of students (and others) who access their email via OWA and expect a forms based login (which we will re-badge if we ever get around to it). However, we’re in the process of deploying MOSS and the standard Inbox/Calendar etc. web parts have ceased working with FBA (as of Exchange 2007 SP1) – to get them working we need WIA. So… Why not just direct OWA customers to the /Exchange virtual directory (set up to use FBA) and direct the MOSS web-parts to the /owa virtual directory? Cos, for the past couple of years we’ve been directing all of out OWA customers to the /owa virtual directory! Trying to change that is just asking for confusion!

Now there’s plenty of info out on the web as to how to configure additional virtual directories for OWA/Exchange 2003 but not so much for OWA/Exchange 2007 (some even suggesting that it’s just not possible). However, it can be done!

Just 3 steps (repeat for each CAS):-

  1. Within the Internet Information Services Manager create a new website. Use a port other than 80 (or 443 for SSL) and use the same document root as your default website. (Make sure that you do start it!)
  2. Using the Exchange Management Shell, execute
    New-OwaVirtualDirectory -OwaVersion:exchange2007 -WebSite "Whateveryoucalledyour new website"
  3. In the Exchange Management Console, go to ‘Server Configuration’, ‘Client Access’ and select the correct Client Access Server. When all the tabs have been populated you should now have, on the ‘Outlook Web Access’ tab, 2 virtual directories where the version is “Exchange 2007” (don’t worry about the three lecacy directories). Right click on the ‘new’ one and select properties (authentication tab) and change the authentiction to whatever you like.

That’s it – you’re done! OK, yes you still have to set up SSL on the new website as per the original one and, if you want, you can restrict access to the new website by IP address etc., but essentially that’s it!

Proftpd mod_tls and Jscape FTP applet

Recent problem with a Proftpd server configuration on Red Hat/Centos. I
had configured mod_tls but on this newer version of the module I had to
add the following lines to my proftpd.conf file for the JScape FTP
applet to work with:
Connection Type FTP/SSL (AUTH TLS)

TLSProtocol             SSLv23
TLSOptions              NoCertRequest

I
had been previously been using the following line on a Debian server
with an older version of ProFTPd so I assume something has changed:

TLSProtocol            TLSv1

No ill side affects yet!

Reducing Form Spam

The CMC team have implemented an anti-spam measure to reduce comment form spam. The following instructions explain how to use this from within the Terminal 4 content management system. The result is that before your form is displayed the users IP address is checked against a list of known spammers – so there may be a 1 second delay before the form is displayed.

  1. Navigate your content and find your current Email Form
  2. Click the Add Content button
  3. Choose the ‘pure text template t4’ template
  4. Name the content block as ‘php’ and add the content EXACTLY as shown here to the body field:
  5. Click the ‘Add’ button to save this content:
  6. Move the new php content above your email form using the arrows
  7. So your content should look similar to the following:
  8. Publish your content in the normal way.