How WebDAV – Use Basic Authentication with WebDAV even when FBA is enabled.



Some customers (developers) wish to use Basic Authentication when Forms Based Authentication (FBA) is enabled for Outlook Web Access (OWA). If OWA’s FBA is enabled, all WebDAV access needs to be FBA authenticated – which means significant changes need to be done to the code – not to mention the testing. The changes and testing will often take several days even for more experienced programmers.


Many software developers run into this issue only when they have deployed the application in a live environment or have released their software – which puts them in a situation where they need at least an interim way around the need to have FBA authentication code written and integrated with their application. One reason that they might not have considered the issue of OWA FBA being enabled is that this feature is not on by default and is enabled by some administrators who what a higher level of security. Most developers will test their code using Windows and Basic Authentication since these settings show under the “exchange” virtual directory in Exchange System Manager (ESM) – while the setting for FBA is in a different place… its under the server-level settings.


Note that OWA’s FBA Authentication is an override of the authentication methods normally used by WebDAV – ie those covered by the WebDAV RFC. This work-around has been tested under Exchange 2003. Exchange 2007 has more detailed settings for security and this work-around will thus not apply in this case. Basic and Windows Authentication methods are covered by the WebDAV RFC and are most often used.


If you are going against Exchange 2007, you really need to think hard of why you are using FBA authentication.  People have been using FBA authentication for WebDAV against Exchange 2000 and 2003 for one reason – to work around the issue of FBA being turned on for OWA, which casuses WebDAV to only be able to authentication using FBA (unless one of two specific work-arounds are used as noted below).  With Exchange 2007, the virual folder and its settings are split-up and seperate for OWA and WebDAV so that one will not affect the other.  This means that WebDAV can authenticate using Basic Authentication instead of FBA even if its turned-on for OWA.


Trying to work-around the problem by changing the settings for the “exchange” virtual directory or by just adding a different Virtual Server does not resolve the issue. However, there is a way around this. Since alternat path offers a by-pass to FBA logon, you should be sure to use SSL and limit which IP addresses have access.  You should consider possible secuirty risks when using this work-around.


Cause:
======
If Basic Authentication when Forms Based Authentication (FBA) is enabled for Outlook Web Access (OWA), WebDAV code accessing Exchange 2003 may fail unless the code has been specifically written for gathering FBA security credentials from OWA and uses them in all of its WebDAV access.  Many software developers run into this issue only when they have deployed the application in a live environment or have released their software – which puts them in a situation where they need at least an interim way around the need to have FBA authentication code written and integrated with their application.  So, a work-around is needed in order to work-around this issue. Note that FBA is meant for usage on OWA accessed on a front-end server and not meant for back-end server usage.


Resolution:
=========
There is a work-around, however it will defeat FBA authentication.    The end-customers should make the decision if this can be done since security may be an issue.  In call cases SSL should be enabled with this work-around.


OK, there are two ways to defeat FBA:


  Additional NIC:
    1) Add a new NIC to the Exchange Server.  Give it a static IP.
       Example: Existing NIC is 65.53.01.01, so the new one will be 65.53.01.02.
    2) Configure ESM:
       A) Under Protocols/HTTP, add a new virtual Server.
       B) Configure that new virtual server to use the Static IP Address.
       D) Under the new Virtual Server, add a new virtual directory called “Exchange”.
    3) In your WebDAV code, you can now use the new IP address. 
       Example:  <https://65.53.01.02/exchange/administrator>.


  Use a the existing NIC, but use a different port:
    Note: There are issues with the reliability of using this work-around.
    1) Configure ESM:
       A) Under Protocols/HTTP, add a new virtual Server.
       B) Configure that new virtual server to use a different port.
          Example:  Port 82.
       D) Under the new Virtual Server, add a new virtual directory called “Exchange”.
    3) In your WebDAV code, you can now use the new port. 
       Example:  <http://65.53.01.01:82/exchange/administrator>.
    Note: You may need to restart Exchange and IIS after making these changes.
 

Comments (6)

  1. I’ve seen a lot of issues with using the MSXML DOM when trying to get credentials from the owaauth.dll

  2. I’ve seen a lot of issues with using the MSXML DOM when trying to get credentials from the owaauth.dll

  3. With any login issue, it’s important to know which authentication protocols are valid. You have to code

  4. Here is some basic information on how FBA authentication is done with WebDAV. To provide some insight

  5. rholland says:

    Very good article, thank you.  I have a few questions on how to make this work in exchange 2010.  We currently have FBA turned on, which has broken an app that worked with exchange 2003.  I would like to configure exchange to allow webdav queries via basic authentication while also allowing FBA for OWA.  Is that possible, and would you happen to know how to do it?  

  6. danba says:

    WebDAV is not in Exchange 2010.  Exchange Web Services (EWS) is the replacement for WebDAV and is far supperior to WebDAV.  So, your going to need to recode.  EWS can be called with raw POSTS (not too far off from WebDAV), proxy classes generated by Visual Studio or via the Exchange Managed API.   EWS is the go-forward API fo mailbox and public folder access.

    he Exchange Managed API is a .NET wrapper for doing EWS calls and requires far less code to be written in order to accomplish the same tasks.  As an example, you would need to have 1.5% of the code with this API than would be for sending a meeting request with WebDAV.  Further, this API is highly tested, much easier to use, more compact and is supported for tasks such as recurring calendar items, calendaring messages (meeting requests, responses, cancelations, etc), while WebDAV is not.  EWS also has a virtual directory seperate from OWA – so its authentication can be setup seperate from OWA.  The core of EWS's underlayng code is the same as OWAs.

    Exchange 2007 was the last version to have WebDAV.  In Exchange 2007, OWA started using its own virtual folder (owa), so it would have seperate settings.

    blogs.msdn.com/…/ews-has-more-happy-now-ews-managed-api-and-ewseditor.aspx