Exchange Web Services server-to-server authentication without plaintext password?

I'm building a server application that runs automated processes that needs to be compatible with Exchange servers back to version 2007. I currently use OAuth through Azure AD for Office 365 connection, but I'm still trying to find a solution for on-premises Exchange pre-2013.

I've been reading about Exchange authentication (basic, NTLM, etc) and I can't seem to find any references to a long-term token system that will allow me to setup authentication with a one-time use password. I'd very strongly rather not store user passwords in a central DB, encrypted or not, as its a huge security responsibility and could be reverse engineered.

Is there something I'm missing?

Is there a way to authenticate to Exchange without a password each time?

After doing some more reading, it seems that I might be able to store the NTLM calculated hash (instead of the password) and re-use that hash for all other calls. Can anyone confirm my assumption there? Am I totally off base? Are there any restrictions or consequences I might be missing if taking that route?

  • Edited by Trevor Suarez 12 hours 54 minutes ago formatting and clarification
July 28th, 2015 2:30pm

Refer https://msdn.microsoft.com/en-us/library/office/dn626019(v=exchg.150).aspx - which will help you to choose right authentication standard for your EWS application that targets Exchange.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 7:30pm

I've already read that document. That doesn't provide much information.
July 28th, 2015 11:02pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics