身份验证和 Exchange 中的 EWSAuthentication and EWS in Exchange

查找可帮助您选择您的 Exchange 的 EWS 应用程序的正确的身份验证标准的信息。Find information to help you choose the right authentication standard for your EWS application that targets Exchange.

身份验证是 Exchange Web Services (EWS) 应用程序的关键部分。Authentication is a key part of your Exchange Web Services (EWS) application. Exchange Online、 Exchange Online 作为 Office 365 的一部分和本地版本的开头 Exchange Server 2013 的 Exchange 支持标准 web 身份验证协议,以帮助保护您的应用程序和 Exchange 服务器之间的通信。Exchange Online, Exchange Online as part of Office 365, and on-premises versions of Exchange starting with Exchange Server 2013 support standard web authentication protocols to help secure the communication between your application and the Exchange server.

如果您正在面向 Exchange Online,您选择的身份验证方法必须使用 HTTPS 进行加密的请求和应用程序发送的响应。If you're targeting Exchange Online, the authentication method that you choose must use HTTPS to encrypt the requests and responses that your application sends. 尽管您可以与 Exchange 本地服务器使用 HTTP,我们建议您的应用程序将发送到 EWS 终结点可帮助您的应用程序和 Exchange 服务器之间的安全通信任何请求使用 HTTPS。Although you can use HTTP with Exchange on-premises servers, we recommend that you use HTTPS for any request that your application sends to an EWS endpoint to help secure communication between your application and an Exchange server.

Exchange 提供了您可供选择的以下身份验证选项:Exchange provides the following authentication options for you to choose from:

  • OAuth 2.0 (Exchange Online 仅)OAuth 2.0 (Exchange Online only)

  • NTLM (Exchange 内部部署仅)NTLM (Exchange on-premises only)

  • Basic (不再推荐)Basic (no longer recommended)

您选择的身份验证方法取决于您的组织,您使用的 Exchange Online 或 Exchange 的本地和您是否有权访问可以发出 OAuth 令牌的第三方提供程序的安全要求。The authentication method that you choose depends on the security requirements of your organization, whether you are using Exchange Online or Exchange on-premises, and whether you have access to a third-party provider that can issue OAuth tokens. 本文提供了将帮助您选择适合您的应用程序的身份验证标准的信息。This article provides information that will help you select the authentication standard that's right for your application.

OAuth 身份验证OAuth authentication

我们建议所有新应用程序使用此 OAuth 标准能够连接到 Exchange Online 服务。We recommend that all new applications use the OAuth standard to connect to Exchange Online services. 基本身份验证安全性优于值得应用程序中实现 OAuth 所需的其他工作。The advantage in security over basic authentication is worth the additional work required to implement OAuth in your application. 对于该记录,但是,有还应注意的一些缺点。For the record, however, there are also some disadvantages that you should be aware of.

表 1。使用 OAuth 的优点和缺点Table 1. Advantages and disadvantages of using OAuth

优点Advantages 缺点Disadvantages
OAuth 是行业标准身份验证协议。OAuth is an industry-standard authentication protocol.

第三方提供程序管理身份验证。Authentication is managed by a third-party provider. 您的应用程序没有收集和存储 Exchange 凭据。Your application does not have to collect and store the Exchange credentials.

更少担心,因为您的应用程序将不透明的令牌仅接收身份验证提供程序;因此,在您的应用程序安全性遭到破坏仅可以公开令牌,而不是用户的 Exchange 凭据。Fewer worries for you, because your application only receives an opaque token from the authentication provider; therefore, a security breach in your application can only expose the token, not the user's Exchange credentials.
OAuth 依赖于第三方身份验证提供程序。OAuth relies on a third-party authentication provider. 这可以施加额外的成本,在您的组织或您的客户。This can impose additional costs on your organization or your customers.

此 OAuth 标准是更加难以实现比基本身份验证。The OAuth standard is more difficult to implement than basic authentication.

若要实现 OAuth,您需要将您的应用程序与身份验证提供程序和 Exchange 服务器集成。To implement OAuth, you need to integrate your application with both the authentication provider and the Exchange server.

为了帮助减少缺点,您可以使用Microsoft Azure AD 身份验证库(ADAL) 为在云中还是内部部署 Active Directory 域服务 (AD DS) 的用户进行身份验证,然后获取访问令牌的保护呼叫到Exchange 服务器。To help minimize the disadvantages, you can use the Microsoft Azure AD Authentication Library (ADAL) to authenticate users to Active Directory Domain Services (AD DS) in the cloud or on-premises and then obtain access tokens for securing calls to an Exchange server. Exchange Online 要求由受支持的 ADAL; Azure Active Directory 服务颁发的令牌但是,您可以使用任何第三方库。Exchange Online requires tokens issued by the Azure Active Directory service, which is supported by the ADAL; however, you can use any third-party library.

若要了解有关 EWS 应用程序中使用 OAuth 身份验证的详细信息,请参阅以下资源:To learn more about using OAuth authentication in your EWS application, see the following resources:

NTLM 身份验证NTLM authentication

NTLM 身份验证功能仅适用于 Exchange 内部部署服务器。NTLM authentication is only available for Exchange on-premises servers. 对于运行在企业防火墙内部的应用程序,NTLM 身份验证和.NET Framework 之间的集成提供内置意味着您的应用程序进行身份验证。For applications that run inside the corporate firewall, integration between NTLM authentication and the .NET Framework provides a built-in means to authenticate your application.

表 2。使用 NTLM 身份验证的优点和缺点Table 2. Advantages and disadvantages of using NTLM authentication

优点Advantages 缺点Disadvantages
"开"适用于您的 Exchange 服务器。Works "out of the box" with your Exchange server. 您可以使用Exchange 命令行管理程序 cmdlet配置 Exchange 服务的访问权限。You can configure access to Exchange services by using an Exchange Management Shell cmdlet.

使用.NET Framework CredentialCache对象以自动获取用户的凭据。Uses the .NET Framework CredentialCache object to automatically get the user's credentials.

代码示例都可用,使用了已登录用户的凭据进行身份验证内部部署 Exchange 服务器。Code samples are available that use the logged on user's credentials for authentication to an on-premises Exchange server.
用户必须登录到要使用 NTLM 身份验证的域。Users must be logged on to a domain to use NTLM authentication.

很难访问未与用户的域帐户关联的电子邮件帐户。It can be difficult to access email accounts that are not associated with the user's domain account.

服务应用程序必须具有充分利用 NTLM 身份验证的域帐户。Service applications must have a domain account to take advantage of NTLM authentication.

基本身份验证Basic authentication

基本身份验证提供一个很基本级别的客户端应用程序的安全性。Basic authentication provides a, well, basic level of security for your client application. 我们建议所有新应用程序进行身份验证; 使用 NTLM 或 OAuth 协议但是,基本身份验证可以是在某些情况下应用程序的正确选择。We do recommend that all new applications use either NTLM or the OAuth protocol for authentication; however, basic authentication can be the correct choice for your application in some circumstances.

表 3。使用基本身份验证的优点和缺点Table 3. Advantages and disadvantages of using basic authentication

优点Advantages 缺点Disadvantages
"开"适用于您的 Exchange 服务器。Works "out of the box" with your Exchange server. 您可以使用Exchange 命令行管理程序 cmdlet配置 Exchange 服务的访问权限。You can configure access to Exchange services by using an Exchange Management Shell cmdlet.

Windows 应用程序可以使用登录的用户的默认凭据。Windows applications can use the logged on user's default credentials.

多个代码示例可向您演示如何调用 EWS 使用基本身份验证。Many code samples are available that show you how to call EWS using basic authentication.
需要您的应用程序,以收集和存储用户的凭据。Requires your application to collect and store the user's credentials.

您必须关闭所有用户使用基本身份验证的 NTLM 身份验证。You have to turn off NTLM authentication for all users to use basic authentication.

如果您的应用程序中发生安全性遭到破坏,它可以公开用户的电子邮件地址和密码攻击者。If a security breach occurs in your application, it can expose the user's email address and password to the attacker.

您需要确定基本身份验证是否符合您的组织和客户的安全要求。You need to decide if basic authentication meets the security requirements of your organization and customers. 基本身份验证可以正确的选择,如果您想要避免广泛安装任务,例如对于简单的测试或演示应用程序。Basic authentication can be the right choice if you want to avoid extensive setup tasks, for example for simple test or demonstration applications.

另请参阅See also