WebDAV and OWA Authentication Settings

With any login issue, it’s important to know which authentication protocols are valid. You have to code to an authentication protocol which can be used.

The authentication settings for OWA and WebDAV are tied together under Exchange 2000 and 2003. Because of this, developers run into issues with WebDAV not being able to authenticate if FBA is enabled for OWA. A developer could work around the issue so they don’t have to code for FBA authentication. However, it’s common for developers to use custom FBA authentication code.

When trying to log-into OWA 2000 or 2003:

If it shows an asp login page, then FBA is enabled.

If you get a grey dialog box, then Basic is enabled.

If you go right into your email account, then windows auth is used.

Exchange 2007 is different than 2000/2003 because the settings for the Exchange virtual folder and OWA folder are separate – they don’t mess with each other. Because of this you can set individual settings for WebDAV and OWA – so having FBA on for OWA will not affect WebDAV. Please note that under 2007 you won’t be able to tell what settings there are for WebDAV by using the OWA login test mentioned above – you’ll have to check the IIS and ESM settings.

One thing to note that for using WebDAV under 2007 is that there is no practical reason to use FBA authentication. Why??? That’s because FBA authentication is really for authenticating against the OWA Web Page – and that’s not needed since the OWA and WebDAV settings are not separate. You should consider using use Basic Authentication or Windows Authentication instead. If your worrying about security, use SSL. SSL will help prevent sniffing of passwords with Basic Authentication same as it does for FBA authentication.

Places to check for 2003:

In ESM:

If FBA is turned on, then they won’t be able to use Windows auth or Basic auth. The FBA setting in ESM will override the IIS Settings. ESM is the recommended place to change the settings on Exchange virtual folders – so you should set them here instead. The settings between ESM and IIS are synced, however I’ve seen cases where they are not synchronized – so I’d suggest that you set them in ESM, then verify that they are correct in IIS.

In IIS:

The Directory Security settings on the “exchange” virtual folder should be set as needed. If Anonymous is turned on for the Exchange virtual folder, then Basic and Windows won’t be used.

Note: With some virtual folder (perhaps “exadmin”), you might have to set the settings in IIS because they will be grayed-out.

Please refer to the following:

How WebDAV - Use Basic Authentication with WebDAV even when FBA is enabled.

https://blogs.msdn.com/webdav_101/archive/2008/02/01/how-webdav-use-basic-authentication-with-webdav-even-when-fba-is-enabled.aspx

WebDAV FBA Authentication Sample Explained.

https://blogs.msdn.com/webdav_101/archive/2008/12/12/webdav-fba-authentication-sample-explained.aspx