By
default, the authentication method for accessing OWA is basic and/or
Integrated Windows authentication, but actually there are five different
authentication methods that can be used to validate your OWA users:
- Anonymous access: This is not a kind of authentication. Instead an open way to get anonymous connections to access resources without specifying a Microsoft Windows 200x user account. Passwords for anonymous accounts are not verified; the password is only logged in the Event Viewer. By default, anonymous access is not enabled. The server creates and uses the account IUSR_computername.
-
Integrated Windows authentication: The Integrated Windows authentication method is enabled by default (except on front-end servers). This authentication method requires HTTP users to have a valid Windows user account and password to access information. Users are not prompted for their account names and passwords; instead, the server negotiates with the Windows 2000 security packages installed on the client computer. This method allows the server to authenticate users without prompting them for information and without transmitting unencrypted information across the network.
- Digest authentication: Digest authentication works only with Active Directory accounts. This authentication method is secure because it sends a hash value over the network rather than a clear text password, as is the case with basic authentication. To use this form of authentication, your clients must use Internet Explorer 5.0 or later.
- Basic authentication: Basic authentication transmits user passwords across the network in an unencrypted way. Although this method allows users to access all Exchange resources, it is not very secure. To enhance security, it is strongly advised that you use SSL with basic authentication to encrypt all information. We will show you how to enable Secure Socket Layer (SSL) on your OWA virtual directories in the next section.
- .NET Passport authentication: .NET Passport authentication allows your site's users to create a single sign-in name and password for easy, secure access to all .NET Passport-enabled Web sites and services. .NET Passport-enabled sites rely on the .NET Passport central server to authenticate users rather than hosting and maintaining their own proprietary authentication systems. However, the .NET Passport central server does not authorize or deny a specific user's access to individual .NET Passport-enabled sites. It is Web site's responsibility to control user permissions. Using .NET Passport authentication requires that a default domain be defined. You probably know the .NET Passport authentication method from services such as Microsoft's MSN Hotmail and Messenger. Note that this authentication method can be set only through the IIS Manager, not the Exchange System Manager.
No comments:
Post a Comment