SOLVED

OWA forms-based authentication with basic authentication disabled

%3CLINGO-SUB%20id%3D%22lingo-sub-695218%22%20slang%3D%22en-US%22%3EOWA%20forms-based%20authentication%20with%20basic%20authentication%20disabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-695218%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3EI%20am%20running%20form%20based%20authentication.%20For%20some%20concern%2C%20i%20would%20like%20to%20disable%20basic%20authentication%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3Eget-OwaVirtualDirectory%20%22owa%20(Default%20Web%20Site)%22%20%7Cfl%20*auth*%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EClientAuthCleanupLevel%20%3A%20High%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EInternalAuthenticationMethods%20%3A%20%7BBasic%2C%20Fba%7D%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EBasicAuthentication%20%3A%20True%20WindowsAuthentication%20%3A%20False%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EDigestAuthentication%20%3A%20False%20FormsAuthentication%20%3A%20True%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ELiveIdAuthentication%20%3A%20False%20AdfsAuthentication%20%3A%20False%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EOAuthAuthentication%20%3A%20False%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EExternalAuthenticationMethods%20%3A%20%7BFba%7D%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20the%20%22InternalAuthenticationMethods%22%20is%20Basic%20and%20Fba.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3Eset-OwaVirtualDirectory%20%22owa%20(Default%20Web%20Site)%22%20-BasicAuthentication%20%24false%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3Eget-OwaVirtualDirectory%20%22owa%20(Default%20Web%20Site)%22%20%7Cfl%20InternalAuthenticationMethods%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EInternalAuthenticationMethods%20%3A%20%7B%7D%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewith%20just%20setting%20the%20%22BasicAuthentication%22%20to%20%24false%20it%20turns%20off%20the%20form%20based%20too.%20So%20i%20tried%20to%20enabled%20the%20form%20based%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3Eset-OwaVirtualDirectory%20%22owa%20(Default%20Web%20Site)%22%20-FormsAuthentication%20%24true%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EClientAuthCleanupLevel%20%3A%20High%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EInternalAuthenticationMethods%20%3A%20%7BBasic%2C%20Fba%7D%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EBasicAuthentication%20%3A%20True%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EWindowsAuthentication%20%3A%20False%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EDigestAuthentication%20%3A%20False%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EFormsAuthentication%20%3A%20True%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ELiveIdAuthentication%20%3A%20False%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EAdfsAuthentication%20%3A%20False%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EOAuthAuthentication%20%3A%20False%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EExternalAuthenticationMethods%20%3A%20%7BFba%7D%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThe%20basic%20authentication%20was%20automatically%20turn%20on%20by%20itself%20again.%20So%20i%20was%20thinking%20the%20form%20based%20required%20the%20basic%20authentication.%20The%20information%20on%20the%20internet%20is%20kind%20of%20scarce.%20Does%20anyone%20has%20any%20experience%20on%20this%3F%20Also%20note%20the%20%22ExternalAuthenticationMethods%22%20is%20%7BFba%7D%20without%20Basic%3F%20Thanks%20everyone!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-695218%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-697042%22%20slang%3D%22en-US%22%3ERe%3A%20OWA%20forms-based%20authentication%20with%20basic%20authentication%20disabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-697042%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F361307%22%20target%3D%22_blank%22%3E%40Thai_Lam%3C%2FA%3E%26nbsp%3BForms%20Based%20Auth%20requires%20Basic%20be%20enabled.%20That's%20enforced%20in%20code%20as%20you%20saw.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGreg.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-698730%22%20slang%3D%22en-US%22%3ERe%3A%20OWA%20forms-based%20authentication%20with%20basic%20authentication%20disabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698730%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20(EXCHANGE)%3C%2FA%3E%26nbsp%3BThank%20you!%20Can%20i%20also%20check%26nbsp%3B%3CSTRONG%3EExternalAuthenticationMethods%20%3A%20%7BFba%7D%2C%20%3C%2FSTRONG%3Ewhat%20does%20this%20do%3F%20Because%20it%20seems%20different%20then%20the%20other%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-ExternalAuthenticationMethods%20is%20using%20string%20base%20instead%20of%20-FormsAuthentication%20%24true%20or%20%24false%20and%20it%20accepts%20just%20only%20%22Fba%22.%3C%2FP%3E%3CP%3E%3CSTRONG%3Eset-OwaVirtualDirectory%20%22owa%20(Default%20Web%20Site)%22%20-ExternalAuthenticationMethods%20fba%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-698888%22%20slang%3D%22en-US%22%3ERe%3A%20OWA%20forms-based%20authentication%20with%20basic%20authentication%20disabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698888%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20individual%20settings%20enable%20(or%20disable)%20the%20respective%20authentication%20method%20on%20the%20vdir.%20ExternalAuthenticationMethods%20and%20InternalAuthenticationMethods%20determine%20allowed%20authentication%20methods%20when%20connecting%20internally%20or%20externally.%20Only%20methods%20can%20be%20selected%20which%20are%20enabled%20on%20the%20vdir.%20It's%20a%20multi-value%2C%20allowing%20you%20to%20specify%20more%20than%20one%20method%20(thus%20displayed%20differently%20in%20output)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-699677%22%20slang%3D%22en-US%22%3ERe%3A%20OWA%20forms-based%20authentication%20with%20basic%20authentication%20disabled%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-699677%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1978%22%20target%3D%22_blank%22%3E%40Michel%20de%20Rooij%3C%2FA%3E%26nbsp%3BThat%20was%20the%20intent%20when%20the%20code%20was%20written%20-%20but%20it%20never%20worked%20like%20that.%20OWA%2FExchange%20has%20no%20idea%20if%20the%20user%20is%20internal%20or%20external%20and%20so%20those%20values%20do%20nothing.%20I%20wouldn't%20suggest%20messing%20with%20them%20at%20all.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi everyone,

I am running form based authentication. For some concern, i would like to disable basic authentication


get-OwaVirtualDirectory "owa (Default Web Site)" |fl *auth*
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True WindowsAuthentication : False
DigestAuthentication : False FormsAuthentication : True
LiveIdAuthentication : False AdfsAuthentication : False
OAuthAuthentication : False

ExternalAuthenticationMethods : {Fba}

 

Note the "InternalAuthenticationMethods" is Basic and Fba.


set-OwaVirtualDirectory "owa (Default Web Site)" -BasicAuthentication $false
get-OwaVirtualDirectory "owa (Default Web Site)" |fl InternalAuthenticationMethods
InternalAuthenticationMethods : {}

 

with just setting the "BasicAuthentication" to $false it turns off the form based too. So i tried to enabled the form based again.

 

 

set-OwaVirtualDirectory "owa (Default Web Site)" -FormsAuthentication $true
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Fba}

The basic authentication was automatically turn on by itself again. So i was thinking the form based required the basic authentication. The information on the internet is kind of scarce. Does anyone has any experience on this? Also note the "ExternalAuthenticationMethods" is {Fba} without Basic? Thanks everyone!

4 Replies
Highlighted
Best Response confirmed by Thai_Lam (Occasional Contributor)
Solution

@Thai_Lam Forms Based Auth requires Basic be enabled. That's enforced in code as you saw. 

 

Greg.  

Highlighted

@Greg Taylor - EXCHANGE Thank you! Can i also check ExternalAuthenticationMethods : {Fba}, what does this do? Because it seems different then the other .

 

-ExternalAuthenticationMethods is using string base instead of -FormsAuthentication $true or $false and it accepts just only "Fba".

set-OwaVirtualDirectory "owa (Default Web Site)" -ExternalAuthenticationMethods fba

 

 

Highlighted

The individual settings enable (or disable) the respective authentication method on the vdir. ExternalAuthenticationMethods and InternalAuthenticationMethods determine allowed authentication methods when connecting internally or externally. Only methods can be selected which are enabled on the vdir. It's a multi-value, allowing you to specify more than one method (thus displayed differently in output)

Highlighted

@Michel de Rooij That was the intent when the code was written - but it never worked like that. OWA/Exchange has no idea if the user is internal or external and so those values do nothing. I wouldn't suggest messing with them at all.