Using Forms-Based Authentication without SSL

How to use forms-based authentication in Exchange 2003 without the need to use SSL?

Forms-based authentication (or FBA for short) is a mechanism in Exchange 2003 Outlook Web Access that allows the user to have a more customizable experience of the OWA logon page and usage.

forms based4 small

By default, FBA requires that Secure Sockets Layer (SSL – i.e. HTTPS) be configured on your server running IIS. For debugging and testing purposes, Outlook Web Access offers a way to enable FBA through normal HTTP.

Follow the steps outlined in the Configuring Forms-Based Authentication in OWA and Exchange 2003 article on general instructions on how to configure FBA.

To configure forms-based authentication to work without SSL for your development environment:

  1. Open Registry Editor.

  2. Go to the following registry key:

  1. If it does not exist, manually add an OWA subkey to this key.

  2. Under the OWA subkey, add a DWord value named AllowRetailHTTPAuth and give it a value of 1.

  3. Quit Registry Editor.

To test your configuration, open your web browser and navigate to http://server/exchange. Notice that you ARE able to make the connection, although FBA is in use.

Note: I do not recommend using this configuration on a production server because of the security issues involved.

Related articles

You may find these related articles of interest to you:


Customizing the Outlook Web Access Logon Pagelink out ico