Using Forms-Based Authentication without SSL

Daniel Petri

Jan 8, 2009

How to use forms-based authentication in Exchange 2003 without the need to use SSL?

advertisment

Forms-based authentication (or FBA for short) is a mechanism in Exchange 2003 Outlook Web Access that allows the user to have a more customizable experience of the OWA logon page and usage.

By default, FBA requires that Secure Sockets Layer (SSL – i.e. HTTPS) be configured on your server running IIS. For debugging and testing purposes, Outlook Web Access offers a way to enable FBA through normal HTTP.

Follow the steps outlined in the Configuring Forms-Based Authentication in OWA and Exchange 2003 article on general instructions on how to configure FBA.

advertisment

To configure forms-based authentication to work without SSL for your development environment:

Open Registry Editor.
Go to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb

advertisment

If it does not exist, manually add an OWA subkey to this key.
Under the OWA subkey, add a DWord value named AllowRetailHTTPAuth and give it a value of 1.
Quit Registry Editor.

To test your configuration, open your web browser and navigate to http://server/exchange. Notice that you ARE able to make the connection, although FBA is in use.

Note: I do not recommend using this configuration on a production server because of the security issues involved.

You may find these related articles of interest to you: