在 Exchange 中的身份验证和 EWSAuthentication and EWS in Exchange

查找更多信息,帮助你为面向 Exchange 的 EWS 应用程序选择正确的身份验证标准。Find information to help you choose the right authentication standard for your EWS application that targets Exchange.

身份验证是 Exchange Web 服务 (EWS) 应用程序中的一个关键部分。Authentication is a key part of your Exchange Web Services (EWS) application. Exchange Online、Exchange Online 作为 Office 365 的一部分以及从 Exchange Server 2013 开始的本地版 Exchange 支持标准版 Web 身份验证 协议,以帮助保护应用和 Exchange Server 之间的通讯。Exchange Online, Exchange Online as part of Office 365, and on-premises versions of Exchange starting with Exchange Server 2013 support standard web authentication protocols to help secure the communication between your application and the Exchange server.

如果你面向 Exchange Online,那么你选择的身份验证方法必须使用 HTTPS 加密应用发出的请求和响应。If you're targeting Exchange Online, the authentication method that you choose must use HTTPS to encrypt the requests and responses that your application sends. 即使你可以在 Exchange 本地服务器上使用HTTP,我们建议你使用 HTTPS 加密任何应用发送到 EWS 终结点的请求,以帮助保护应用和 Exchange Server 之间的通讯。Although you can use HTTP with Exchange on-premises servers, we recommend that you use HTTPS for any request that your application sends to an EWS endpoint to help secure communication between your application and an Exchange server.

Exchange 提供下列身份验证选项供你选择:Exchange provides the following authentication options for you to choose from:

  • OAuth 2.0 (仅Exchange Online)OAuth 2.0 (Exchange Online only)

  • NTLM (仅本地 Exchange)NTLM (Exchange on-premises only)

  • 基本(不在推荐)Basic (no longer recommended)

你选择的身份验证方法取决于你组织的安全要求,取决于你在使用 Exchange Online 还是本地 Exchange,以及你是否有权限访问可以提供 OAuth 令牌的第三方提供商。The authentication method that you choose depends on the security requirements of your organization, whether you are using Exchange Online or Exchange on-premises, and whether you have access to a third-party provider that can issue OAuth tokens. 这篇文章提供相关信息,帮助你选择适合你应用的身份验证标准。This article provides information that will help you select the authentication standard that's right for your application.

OAuth 身份验证OAuth authentication

我们推荐所有新应用使用 OAuth 标准连接 Exchange Online 服务。We recommend that all new applications use the OAuth standard to connect to Exchange Online services. 它在安全性方面优于基本身份验证,所以值得花额外的必需精力将 OAuth 应用到你的应用。The advantage in security over basic authentication is worth the additional work required to implement OAuth in your application. 但是,郑重声明,这也存在一些你需要注意的缺点。For the record, however, there are also some disadvantages that you should be aware of.

表 1. 使用 OAuth 的优缺点Table 1. Advantages and disadvantages of using OAuth

优点Advantages 缺点Disadvantages
OAuth 是行业标准的身份验证协议。OAuth is an industry-standard authentication protocol.

身份验证由第三方提供商管理。Authentication is managed by a third-party provider. 你的应用程序不需要收集和存储 Exchange 凭据。Your application does not have to collect and store the Exchange credentials.

你的烦恼减少了,因为你的应用只会从身份验证提供商处收到一个不透明的令牌,因此,你的应用中的安全漏洞只会暴露此令牌,而不是用户的 Exchange 凭据。Fewer worries for you, because your application only receives an opaque token from the authentication provider; therefore, a security breach in your application can only expose the token, not the user's Exchange credentials.
OAuth 依赖第三方身份验证提供商。OAuth relies on a third-party authentication provider. 这会增加你组织或客户的成本。This can impose additional costs on your organization or your customers.

OAuth 标准比基本身份验证更难实施。The OAuth standard is more difficult to implement than basic authentication.

要实施 OAuth,你需要将你的应用与身份验证提供商和 Exchange 服务器进行整合。To implement OAuth, you need to integrate your application with both the authentication provider and the Exchange server.

为帮助最小化缺点,你可以使用 Azure AD 身份验证库 (ADAL) 来在云或本地验证用户使用 Active Directory 域服务 (AD DS),然后获取到 Exchange 服务器的保护通话的访问令牌。To help minimize the disadvantages, you can use the Microsoft Azure AD Authentication Library (ADAL) to authenticate users to Active Directory Domain Services (AD DS) in the cloud or on-premises and then obtain access tokens for securing calls to an Exchange server. Exchange Online 要求 Microsoft Azure Active Directory 服务颁发的令牌,该令牌由 ADAL 支持。但是,你也可以使用任何第三方库。Exchange Online requires tokens issued by the Azure Active Directory service, which is supported by the ADAL; however, you can use any third-party library.

了解更多关于如何在你的 EWS 应用中使用 OAuth 身份验证的信息,参与以下资源:To learn more about using OAuth authentication in your EWS application, see the following resources:

NTLM 身份验证NTLM authentication

NTLM 身份验证仅对 Exchange 本地服务器可用。NTLM authentication is only available for Exchange on-premises servers. 对用在公司防火墙内运行的应用,NTLM 身份验证和 .NET Framework 的结合可以通过内嵌的方式验证你的应用。For applications that run inside the corporate firewall, integration between NTLM authentication and the .NET Framework provides a built-in means to authenticate your application.

表 2. 使用 NTLM 身份验证的优缺点Table 2. Advantages and disadvantages of using NTLM authentication

优点Advantages 缺点Disadvantages
以创新方法在你的 Exchange 服务器上工作。Works "out of the box" with your Exchange server. 你可以通过使用Exchange 命令行管理程序 cmdlet配置对 Exchange 服务的访问。You can configure access to Exchange services by using an Exchange Management Shell cmdlet.

使用 .NET Framework CredentialCache 对象自动获取用户的凭据。Uses the .NET Framework CredentialCache object to automatically get the user's credentials.

代码示例可用,使用登陆用户的凭据验证到本地 Exchange 服务器。Code samples are available that use the logged on user's credentials for authentication to an on-premises Exchange server.
用户必须登陆到域来使用 NTLM 身份验证。Users must be logged on to a domain to use NTLM authentication.

要访问和用户的域账号不关联的电子邮件账号可能会很困难。It can be difficult to access email accounts that are not associated with the user's domain account.

服务应用程序必须有域账号来利用 NTLM 身份验证的优势。Service applications must have a domain account to take advantage of NTLM authentication.

基本身份验证Basic authentication

基本身份验证提供了你的客户端应用程序基本的安全性。Basic authentication provides a, well, basic level of security for your client application. 我们建议所有新应用使用 NTLM 或 OAuth 协议进行身份验证,但是基本身份验证也在某些情况下可行。We do recommend that all new applications use either NTLM or the OAuth protocol for authentication; however, basic authentication can be the correct choice for your application in some circumstances.

表 3. 使用基本身份验证的优缺点Table 3. Advantages and disadvantages of using basic authentication

优点Advantages 缺点Disadvantages
以创新方法在你的 Exchange 服务器上工作。Works "out of the box" with your Exchange server. 你可以通过使用Exchange 命令行管理程序 cmdlet配置对 Exchange 服务的访问。You can configure access to Exchange services by using an Exchange Management Shell cmdlet.

Windows 应用可以使用登陆用户的默认凭据。Windows applications can use the logged on user's default credentials.

很多 代码示例可用,它们向你展示如何用基本身份验证调用 EWS。Many code samples are available that show you how to call EWS using basic authentication.
需要你的应用收集和存储用户的凭据。Requires your application to collect and store the user's credentials.

如果你想要强制所有用户使用基本身份验证,你必须关闭 NTLM 身份验证。You have to turn off NTLM authentication if you want to force all users to use basic authentication.

如果你的应用出现安全漏洞,你的用户的电子邮件地址和密码可能会暴露给入侵者。If a security breach occurs in your application, it can expose the user's email address and password to the attacker.

你需要决定基本身份验证是否满足你的组织和用户的要求。You need to decide if basic authentication meets the security requirements of your organization and customers. 如果你想避免过多的设置,比如示例测试或演示应用,基本身份验证是合适的选择。Basic authentication can be the right choice if you want to avoid extensive setup tasks, for example for simple test or demonstration applications.

备注

基本身份验证不在受 EWS 支持,无法连接 Exchange Online。Basic authentication is no longer supported for EWS to connect to Exchange Online. 在你的新的或现有的 EWS 应用上使用 OAuth 身份验证来连接Exchange Online。Use OAuth authentication in all your new or existing EWS applications to connect to Exchange Online. 对 EWS 的 OAuth 身份验证仅在作为 Microsoft 365 一部分的 Exchange Online 中可用。OAuth authentication for EWS is only available in Exchange Online as part of Microsoft 365. 使用 OAuth 的 EWS 应用程序必须先通过 Azure Active Directory 注册。EWS applications that use OAuth must be registered with Azure Active Directory first.

另请参阅See also