Quantcast
Channel: Exchange Server 2013 - Outlook, OWA, POP, and IMAP Clients forum
Viewing all articles
Browse latest Browse all 10580

Exchange 2013, multiple IIS OWA sites with different authentication

$
0
0
Hi

I have an exchange 2013 server with Client Access and Mailbox server installed. The server has an second ip address which I have bound an additional IIS site to. The additional IIS site is named ExchangeExternalFBA.

The default web site is configured for basic and windows authentication with:
Set-EcpVirtualDirectory -identity "ecp (default web site)" -FormsAuthentication:$false
Set-owavirtualdirectory -identity "owa (Default Web Site)" -FormsAuthentication:$false -WindowsAuthentication:$true -BasicAuthentication:$true

Then a new ECP and OWA are configured with:
New-ecpVirtualDirectory -WebSiteName "ExchangeExternalFBA"
New-OwaVirtualDirectory -WebSiteName "ExchangeExternalFBA"
Set-owavirtualdirectory -identity "owa (ExchangeExternalFBA)" -LogonFormat FullDomain -FormsAuthentication:$true -WindowsAuthentication:$false -BasicAuthentication:$true
Set-EcpVirtualDirectory -identity "ecp (ExchangeExternalFBA)" -FormsAuthentication:$true

Then I perform an iisreset.

My problem is that then when I try to access the ECP or OWA on the default website, it loads forms authentication! The ECP or OWA on the ExchangeExternalFBA web site works correctly and also loads forms authentication.

If I run...
get-owavirtualdirectory "owa (ExchangeExternalFBA)"

then it returns:

InternalAuthenticationMethods                       : {Basic, Ntlm,
                                                      WindowsIntegrated}
BasicAuthentication                                 : True
WindowsAuthentication                               : True
DigestAuthentication                                : False
FormsAuthentication                                 : False
LiveIdAuthentication                                : False
AdfsAuthentication                                  : False
OAuthAuthentication                                 : False

If I then run

Set-EcpVirtualDirectory -identity "ecp (default web site)" -FormsAuthentication:$false
Set-owavirtualdirectory -identity "owa (Default Web Site)" -FormsAuthentication:$false -WindowsAuthentication:$true -BasicAuthentication:$true

and perform another iisreset then when I try to access the ECP or OWA on the default website it loads correctly. But then the forms based authentication on the ExchangeExternalFBA website can no longer log in, it does not accept the user name and password. If I then disable and enable FBA on the ExchangeExternalFBA website then it works but forms based authentication takes over the default web site again!

Whether I perform the above from the gui or from powershell it does not make a difference, the same behaviour is observed. Changing the logontype on the FBA does not make a difference.

This has been tested on exchange 2013 cu1 and cu2.

Similar(if not identical until they get sidetracked) issue reported in http://social.technet.microsoft.com/Forums/exchange/en-US/9fcd360f-6658-4940-add7-2f13265cf86b/multiple-owa-sites-on-a-single-server-2012-with-exchange-2013-mailbox-cas.

This worked fine in outlook 2007 and 2010, why now do my virtual directories break each other?

I can reproduce the issue on a test exchange 2013 I built in dev.

Is this a bug or are you no longer meant to host different forms of authentication on a single cas?

I'm mostly interested to see if this works for other people and why it no longer seems to work in 2013, so please no questions; 'why do you want 2 different forms of authentication'. 

Much appreciated, Thanks!


Viewing all articles
Browse latest Browse all 10580

Trending Articles