Blog Post

Exchange Team Blog
3 MIN READ

Coming Soon: Enabling Extended Protection on Exchange Server by Default

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Aug 28, 2023
Extended Protection (EP) is a Windows feature that helps protect servers from ‘man in the middle’ (MiTM) type attacks. EP allows a binding to occur within Windows Authentication in IIS between the au...
Published Aug 28, 2023
Version 1.0
announcements
exchange 2019
on premises
security
swaite1405's avatar
swaite1405
Copper Contributor
Sep 07, 2023

I configured EP, but found it breaks OWA in our environment - everything else works, including desktop Outlook. Our client computers are in a trusted login domain, the Exchange 2019 CU13 servers are in a trusted resource domain, no load balancers, firewalls or proxies in-between or involved. OWA works fine on a client machine located within the resource domain, but not from within the login domain - same credentials and method to access.

If I set the Default Web Site/OWA windows authentication EP setting back to 'None' (instead of 'Require') then everything works again - any ideas why it is failing when set to 'Require'?
I've been through the documentation and verified the pre-requisites are met. But if 'Require' is set, then I am just getting an authentication pop-up that loops when I try to access the mailbox using OWA.

So this is how I have to have it configured to have OWA working again (everything except OWA on the Default Web Site is configured per the EP script) - this snippet is from the HealthChecker script which shows only the OWA config as False:

 

 

Default Web Site             Value    SupportedValue  ConfigSupported
----------------             -----    --------------  ---------------
API                          Require  Require         True
Autodiscover                 None     None            True
ECP                          Require  Require         True
EWS                          Allow    Allow           True
Microsoft-Server-ActiveSync  Allow    Allow           True
OAB                          Require  Require         True
Powershell                   Require  Require         True
OWA                          None     Require         False
RPC                          Require  Require         True
MAPI                         Require  Require         True


Exchange Back End            Value    SupportedValue  ConfigSupported
-----------------            -----    --------------  ---------------
API                          Require  Require         True
Autodiscover                 None     None            True
ECP                          Require  Require         True
EWS                          Require  Require         True
Microsoft-Server-ActiveSync  Require  Require         True
OAB                          Require  Require         True
Powershell                   Require  Require         True
OWA                          Require  Require         True
RPC                          Require  Require         True
PushNotifications            Require  Require         True
RPCWithCert                  Require  Require         True
MAPI/emsmdb                  Require  Require         True
MAPI/nspi                    Require  Require         True