Forms-based Authentication & Windows Integrated Side by Side

Having your cake and eating it too!

For OWA,  Exchange 2007 (by default) lets you have either Forms-based authentication or Windows Integrated Authentication but NOT both simultaneously – side by side as it were! Actually that’s not quite true – it looks like you can set the /Exchange virtual directory (on the Client Access Server) to use FBA and the /owa virtual directory to use WIA and it ‘does the right thing’! However, if you set /Exchange to WIA and /owa to FBA the /owa virtual directory will succeed but the /Exchange virtual directory will fail miserably (repeatedly prompting for credentials).

Why is this a problem and why on earth would you want WIA and FBA side-by-side?

We want WIA & FBA side-by-side because we have loads of students (and others) who access their email via OWA and expect a forms based login (which we will re-badge if we ever get around to it). However, we’re in the process of deploying MOSS and the standard Inbox/Calendar etc. web parts have ceased working with FBA (as of Exchange 2007 SP1) – to get them working we need WIA. So… Why not just direct OWA customers to the /Exchange virtual directory (set up to use FBA) and direct the MOSS web-parts to the /owa virtual directory? Cos, for the past couple of years we’ve been directing all of out OWA customers to the /owa virtual directory! Trying to change that is just asking for confusion!

Now there’s plenty of info out on the web as to how to configure additional virtual directories for OWA/Exchange 2003 but not so much for OWA/Exchange 2007 (some even suggesting that it’s just not possible). However, it can be done!

Just 3 steps (repeat for each CAS):-

  1. Within the Internet Information Services Manager create a new website. Use a port other than 80 (or 443 for SSL) and use the same document root as your default website. (Make sure that you do start it!)
  2. Using the Exchange Management Shell, execute
    New-OwaVirtualDirectory -OwaVersion:exchange2007 -WebSite "Whateveryoucalledyour new website"
  3. In the Exchange Management Console, go to ‘Server Configuration’, ‘Client Access’ and select the correct Client Access Server. When all the tabs have been populated you should now have, on the ‘Outlook Web Access’ tab, 2 virtual directories where the version is “Exchange 2007” (don’t worry about the three lecacy directories). Right click on the ‘new’ one and select properties (authentication tab) and change the authentiction to whatever you like.

That’s it – you’re done! OK, yes you still have to set up SSL on the new website as per the original one and, if you want, you can restrict access to the new website by IP address etc., but essentially that’s it!