I am publishing Exchange 2013 CU1 through UAG 2010 SP3.  Everything is working fine except that OWA and ECP users must log on twice, first through UAG and second through Exchange FBA.  FBA and Basic authentication are both enabled on the OWA virtual directory, and the both are enabled as IIS authentication methods.  I have tried it with both the logon server and Kerberos Constrained Delegation and the results are the same.

Can this configuration be made to work with a single logon without having to create a separate CAS or a separate web site i

Hiya, 

Yeah, it sounds like you have configured both UAG authentication as well as Exchange web service authentication. You should decide which you want to use. Either UAG or Exchange, I would recommend the UAG as its purpose build. If you decide to use UAG, you must change Exchange to use something else than Form based authentication, as the UAG does not support Single Sign-on with Exchange forms based authentication. Besides that it should be relatively straight forward.

More on the above here:

http://technet.microsoft.com/en-us/library/ee921443.aspx

Thanks for the reply.  Unfortunately that link applies to Exchange 2010, not Exchange 2013.

Well the document is a UAG document and does contain reference to Exchange 2013. Secondly I wouldn't expect much of a change on this part between Exchange 2010 and Exchange 2013. 

what will happened if you remove authentication from Trunk.  can we enable or is it recommended to enable both FBA and Basic  authentication from Exchange OWA.  i am having another issues and it's can't communicate to CAS farm . i also tried with both  logon server and Kerberos Constrained Delegation , but still there is no web server farm available.

 

what will happened if you remove authentication from Trunk.  can we enable or is it recommended to enable both FBA and Basic  authentication from Exchange OWA.  i am having another issues and it's can't communicate to CAS farm . i also tried with both  logon server and Kerberos Constrained Delegation , but still there is no web server farm available.

 

You can choose not to publish it using the UAG. 

You should either publish using UAG - and NOT use Forms based authentication as that wont work. Or Publish your OWA directly and use Forms based authentication.

i also ended up with same issues with dual authentications. every things are working ,only issues is two times authentications. pls anyone can help  

I agree with the statment to use UAG to publish OWA and disable FBA on the Exchange CAS. However if you still want the internal users to use the FBA of the Exchange you can do so by either using 2 diffrent CAS, one with FBA and one without, or to create an additional Virtual Directory on the CAS for the OWA with FBA disabled. so internal user will go to /owa and external through the UAG will end up at /owa2 with FBA disabled and there for having full SSO.

\Mattias

I have confirmed that does work.  My customer was okay with using a basic authentication prompt internally instead of the FBA page, so this was acceptable.

i agreed with  Ed Crowley and it's not like exchange 2010, i am not sure this correct or not , but when we enable FBA authentication from CAS URL(EAC ), it will enable FBA and basic  both and you will have internal FBA OWA . no need to find different solutions for FBA for internal users. we use to enable Basic from CAS Server and defined Basic Authentication from TMG.

to get single sign on, I checked with both way ( FBA enable- and only Basic on CAS URL), but both method gave me two times authentications.

i got the error with OAB and to resolved, i unchecked  " use SSO " Authentication TAB from Microsoft Exchange web Service " applications tab.

So tried by removing authentication from Exchange OWA "automatically reply to application specific authentications request"  , but no luck ,didn't try for  "Kerberos Constrained Delegation " , but Ed Crowley already tried and still no idea how to fix this SSO

What I've done in the past to allow FBA internally and TMG on the outside is to create a new web site and new OWA and ECP virtual directories.  This should work with Exchange 2013 as well, but I don't have a conclusive test under my belt to verify it.  What I've done is create a separate web site ("External Web Site") with a separate directory (\inetpub\wwwroot2), a separate application pool (ExternalAppPool), using a different port (4433) or IP address, and then pointing TMG to use that port.  I don't know why this wouldn't work with UAG and Exchange 2013.