Outlook Web Access is Configured Without SSL
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2008-06-18
The Microsoft Exchange Server Analyzer uses the following Exchange Management Shell cmdlet to query for the values of the VirtualDirectoryName and WebsiteName properties of any target Exchange 2007 servers:
The VirtualDirectoryName parameter returns a string that defines the name of the virtual directory and the WebsiteName parameter returns a string that defines the name of the Exchange Web site.
The Exchange Server Analyzer queries the cmdlet returns for the values of the BasicAuthentication and FormsAuthentication, and OwaVersion properties of the target virtual directory.
Basic authentication is a simple authentication mechanism that is defined by the HTTP specification that encodes a user's logon name and password before the user's credentials are sent to the server.
Forms-based authentication enables a logon page for Outlook Web Access (OWA) that uses a cookie to store a user's encrypted logon credentials in the Internet browser.
These properties specify whether basic authentication or forms-based authentication is enabled on the OWA virtual directory. A value of $true for these properties indicates that the authentication is enabled and a value of $false indicates that the authentication is not enabled.
The value for the OwaVersion property specifies whether the version of the OWA virtual directory is Exchange 2007, Exchange 2003, or Exchange 2000.
The Exchange Server Analyzer tool then queries the Internet Information Services (IIS) metabase for the values of the following properties:
A value of true for the AccessSSL property indicates that file access requires Secure Sockets Layer (SSL) file permission processing with or without a client certificate.
The SSLCertHash property specifies the SSL certificate hash which encodes the certificate.
The SSL protocol helps Web servers and Web clients communicate more securely through the use of encryption. When SSL is not used, data sent between the client and server is open to packet sniffing by anyone with physical access to the network.
Finally, the Exchange Analyzer then queries the Active Directory directory service for the value of the msExchCurrentServerRoles attribute on the msExchExchangeServer object for the computer to determine which Exchange Server 2007 server roles are installed on the target server.
If all of the following conditions are true, the Exchange Server Analyzer displays a warning:
Basic or Forms-Based authentication is enabled for the target OWA virtual directory.
The OWA virtual directory is not configured to use SSL.
The target server has the Exchange 2007 Client Access server role installed.
The target server does not have the Exchange 2007 Mailbox server role installed or the version of the OWA virtual directory is Exchange 2007.
This warning indicates that the OWA virtual directory is configured to use Basic or Forms-Based authentication but is not configured to use SSL.
For a computer that is running Exchange Server 2007 that has the Client Access server role installed, SSL is used to help secure communications between the server and the clients. Clients include mobile devices, computers inside an organization's network, and computers outside an organization's network. These include clients with and without virtual private network (VPN) connections.
If SSL is not used, the user name and password will be sent in clear text at initial logon. When SSL is used, it encrypts all communications between the client computer and the Client Access server and helps prevent sensitive information, such as user names, passwords, and e-mail messages, from being viewed by third parties.
For information about how to use Secure Sockets Layer (SSL) encryption to help secure Outlook Web Access, see "How to Configure Outlook Web Access Virtual Directories to Use SSL" http://go.microsoft.com/fwlink/?LinkId=121581.
For more information about how to manage SSL, see "Managing SSL for a Client Access Server" http://go.microsoft.com/fwlink/?LinkId=121582.