Tech Master Guide

By default, Outlook Web Access is enabled for all users on your Domain after you install Exchange 2003. However, you can enable the following features for Outlook Web Access:

• Set up a logon page.
  
• Configure authentication.
  
• Configure security options.
  
• Configure Outlook Web Access compression.
  
• Simplify the Outlook Web Access URL.

You can enable a new logon page for Outlook Web Access that stores the user's name and password in a cookie instead of in the browser. When a user closes a browser, the cookie is cleared. Additionally, after a period of inactivity, the cookie is cleared automatically. The new logon page requires the user to enter a domain, user name, and password, or a full user principal name (UPN) e-mail address and password, to access e-mail.

To enable this logon page, you must first enable forms-based authentication on the server, and then secure the logon page by setting the cookie time-out period and adjusting client-side security settings.

How to enable Forms-Based Authentication in Exchange Server 2003:

If you are using forms-based authentication with Secure Sockets Layer (SSL) offloading, you must configure your Exchange Server front-end servers to handle this scenario.

Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server Click Here to Download

To enable the Outlook Web Access logon page, you must enable forms-based authentication on the server.

1. On the Exchange server, log on with the Exchange administrator account, and then start Exchange System Manager.

2. In the console tree, expand Servers.

3. Expand the server for which you want to enable forms-based authentication, and then expand Protocols.

4. Expand HTTP, right-click Exchange Virtual Server, and then click Properties.

5. In the Exchange Virtual Server Properties dialog box, on the Settings tab, in the Outlook Web Access pane, select the Enable Forms Based Authentication option.

6. Click Apply, and then click OK.

In Exchange 2003, Outlook Web Access user credentials are stored in a cookie. When the user logs off Outlook Web Access, the cookie is cleared and it is no longer valid for authentication. Additionally, by default, if your user is using a public computer, and selects the Public or shared computer option on the Outlook Web Access logon screen, the cookie on this computer expires automatically after 15 minutes of user inactivity.

The automatic time-out is valuable because it helps protect a user's account from unauthorized access. However, although the automatic time-out greatly reduces the risk of unauthorized access, it does not completely eliminate the possibility that an unauthorized user might access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you educate users about precautions to take to avoid risks.

To match the security requirements of your organization, an administrator can configure the inactivity time-out values on the Exchange front-end server. To configure the time-out value, you must modify the registry settings on the server.

How to Set the Outlook Web Access Forms-Based Authentication Public Computer Cookie Time-Out Value

1. On the Exchange front-end server, log on with the Exchange administrator account, and then start Registry Editor (regedit).

2. In Registry Editor, locate the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
   MSExchangeWeb\OWA

3. On the Edit menu, point to New, and then click DWORD Value.

4. In the details pane, name the new value PublicClientTimeout.

5. Right-click the PublicClientTimeout DWORD value, and then click Modify.

6. In Edit DWORD Value, under Base, click Decimal.

7. In the Value Data box, type a value (in minutes) between 1 and 432,000.

8. Click OK.

1. Start Registry Editor (regedit).

2. Navigate to the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
   Services\MSExchangeWeb\OWA

3. On the Edit menu, point to New, and then click DWORD Value.

4. In the details pane, name the new value TrustedClientTimeout.

5. Right-click the TrustedClientTimeout Dword value, and then click Modify.

6. In Edit DWORD Value, under Base, click Decimal.

7. In the Value Data box, type a value (in minutes) between 1 and 432,000.

8. Click OK.

To successfully complete the procedures in this topic, confirm the following:

• The front-end server has authentication enabled.

1. Using the Internet Services Manager, open the properties for the Default Web Site.

2. Click the Home Directory tab, and then select A redirection to a URL.

3. In Redirect to, type /, and then click A directory below URL entered. For example, to redirect https://mail/ requests to https://mail/exchange, in Redirect to, you would type /exchange.

If you want your users to use SSL to access their server, you can redirect client requests to https://mail/<directory name>. To require users to use SSL, In Redirect to, type https://mail/, and then click A directory below URL entered. This setting hard codes the name of the server; therefore if you redirect client requests to https://mail, the client must be able to resolve the name mail.

Note: Users still must enter the full URL, including username, to access other mailboxes or content in folders other than the inbox.