Force OWA 2003 to require domain name?
Hello, I am in the process of making OWA available over the Internet to the coworkers at my company for the first time. I've spent some time giving myself a crash course in IIS and locking down the OWA configuration. We're using SBS 2003 SP2 (w/out ISA), and Exchange 2003 is also at SP2. Everything is working fine with a couple exceptions. OWA is using FBA, and can log in using either "username" or "domain\username". I want to force this to "domain\username" only, and am not finding a straightforward answer. Is it a matter of clearing all the "\" Default Domains in IIS Directory Security (more appropriately, in Exchange System Manager)? Even if this is the trick, enabling FBA sets its own defaults and makes them unchangeable, so it's not quite this simple. But can it be done? The rules seem to have changed with each service pack, which has made some web resources obsolete. But the DS2MB function is supposed to populate these IIS settings from Active Directory. Couldn't I then hack Active Directory, so I could choose my own settings? I've browsed AD and found several Exchange and OWA-related nodes, but the data they contain doesn't seem relevant. Where is the DS2MB data stored? If this really can't be done, maybe I can add some script lines to the logon.asp file to require a backslash? Thanks in advance! Todd
June 25th, 2009 1:46am

HI, According to my knowledge you can achieve this goal editing FBA logging page. Please refer below article to get more information. Outlook Web Access 2003 Forms-based Authentication and the default domain dilemma========================================================================http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.htmlRegards Chinthaka
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2009 4:06am

Thanks for the reply. I'd read that tutorial before, but it advises how to do the opposite of what I want. Actually, it mentions FBA forcing domain\username or username@domain.com logins, but here FBA lets me log in with just username or with domain\username. Maybe it's a quirk of SBS Server or a change from a later security update? Funny you should mention Henrik Walther, as I believe he makes himself available for Exchange questions, if you ask nicely. Hmm... Thanks, Todd
June 25th, 2009 7:41pm

FYI, I used one of Henrik's other articles as the basis for a small Javascript function of my own function validateForm(f) { if ((f.username.value.indexOf('\\') != -1) && (f.username.value.charAt(0) !== '\\')) {return true;} else {return false;} } plus an onSubmit() event in each <form> tag, to do the script-based validation I wanted. But I'd still like to know if it's possible to accomplish this at the server level, which I find a bit more secure.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2009 5:04am

Hi, Yes, we can implement domain\username via checking the directory security tab for Authentication and accessing control to see if you have basic authentication enabled only. Please note that the default domain should be \. Regards, Xiu
June 26th, 2009 10:36am

Hmm. In IIS, my Directory Security tabs look like this: Default Web Site: anonymous, integrated Exadmin: integrated Exchange: basic w/Default Domain \ Exchange-oma: integrated, basic w/Default Domain \ ExchWeb: anonymous Microsoft-Server-ActiveSync: basic, w/our Netbios domain name OMA: basic w/Default Domain \ Public: basic w/Default Domain \ This is with FBA enabled. For OWA, I believe the Exchange and Public folders are the most important, and these are configured as you suggest. With this setup, the web form accepts both username and domain\username (but not username@domain). What would you change? I believe I've tried changing the Default Domains before, but then the DS2MB process eventually overwrites them.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2009 10:35pm

Looks like you want your users to use their UPNs to logon to OWA instead of using domain\username format. Let me know if I missunderstood it. If I am reading you correctly then I would recommend you looking at http://support.microsoft.com/default.aspx/kb/267906to configure OWA to allow UPN logons.To prevent the changes being overwritten by DS2MB the changes should be made in ESM and not in IIS Manager console. MMilind Naphade | MCTS:M | http://www.msexchangegeek.com
June 26th, 2009 11:40pm

Hi, thanks for the suggestion. What I actually want to do is force OWA to not accept logins of just "username". Either domain\username or username@domain is fine. Right now I'm doing this with a Javascript function in my login.asp page, but would prefer to do it server-side. My ESM Exchange and Public Virtual Directories are both set up with Basic Authentication and Default Domain: \, but Forms-Based Authentication is enabled, too, and makes all this information read-only. For whatever reason, OWA accept "username" and "domain\username", but not "username@domain". That doesn't matter, as long as I can stop it from accepting just "username". I thought I might do this by editing the Default Domains in ESM, but again, they're not editable. If there's no other way, I would like to try editing the data the DS2MB process pulls from Active Directory. If I can find it. Todd
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2009 12:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics