Exchange 中的身份验证和 EWSAuthentication and EWS in Exchange

查找信息,以帮助您为面向 Exchange 的 EWS 应用程序选择正确的身份验证标准。Find information to help you choose the right authentication standard for your EWS application that targets Exchange.

身份验证是 Exchange Web 服务(EWS)应用程序的关键部分。Authentication is a key part of your Exchange Web Services (EWS) application. Exchange Online、Exchange Online (作为 Office 365 的一部分)和本地版本的 Exchange 以 Exchange Server 2013 开头。支持标准 web 身份验证协议,以帮助保护应用程序和 Exchange 服务器之间的通信。Exchange Online, Exchange Online as part of Office 365, and on-premises versions of Exchange starting with Exchange Server 2013 support standard web authentication protocols to help secure the communication between your application and the Exchange server.

如果您针对的是 Exchange Online,则您选择的身份验证方法必须使用 HTTPS 加密您的应用程序发送的请求和响应。If you're targeting Exchange Online, the authentication method that you choose must use HTTPS to encrypt the requests and responses that your application sends. 虽然您可以将 HTTP 与 Exchange 本地服务器结合使用,但我们建议对应用程序发送到 EWS 终结点的任何请求使用 HTTPS,以帮助确保应用程序与 Exchange 服务器之间的通信安全。Although you can use HTTP with Exchange on-premises servers, we recommend that you use HTTPS for any request that your application sends to an EWS endpoint to help secure communication between your application and an Exchange server.

Exchange 提供了以下身份验证选项供您选择:Exchange provides the following authentication options for you to choose from:

  • OAuth 2.0 (仅限 Exchange Online)OAuth 2.0 (Exchange Online only)

  • NTLM (仅限本地 Exchange)NTLM (Exchange on-premises only)

  • 基本(不再推荐)Basic (no longer recommended)

您选择的身份验证方法取决于您的组织的安全要求、是使用 Exchange Online 还是本地 Exchange,以及您是否有权访问可颁发 OAuth 令牌的第三方提供程序。The authentication method that you choose depends on the security requirements of your organization, whether you are using Exchange Online or Exchange on-premises, and whether you have access to a third-party provider that can issue OAuth tokens. 本文提供的信息可帮助您选择适合您的应用程序的身份验证标准。This article provides information that will help you select the authentication standard that's right for your application.

OAuth 身份验证OAuth authentication

我们建议所有新应用程序都使用 OAuth 标准连接到 Exchange Online services。We recommend that all new applications use the OAuth standard to connect to Exchange Online services. 安全性优于基本身份验证的优点是,在应用程序中实现 OAuth 所需的额外工作。The advantage in security over basic authentication is worth the additional work required to implement OAuth in your application. 但对于记录而言,还有一些应注意的缺点。For the record, however, there are also some disadvantages that you should be aware of.

表1。使用 OAuth 的优点和缺点Table 1. Advantages and disadvantages of using OAuth

优点Advantages 缺点Disadvantages
OAuth 是行业标准的身份验证协议。OAuth is an industry-standard authentication protocol.

身份验证由第三方提供程序进行管理。Authentication is managed by a third-party provider. 您的应用程序不需要收集和存储 Exchange 凭据。Your application does not have to collect and store the Exchange credentials.

由于您的应用程序仅从身份验证提供程序接收到不透明令牌,因此为你提供了更少的照管。因此,应用程序中的安全破坏只能公开令牌,而不是用户的 Exchange 凭据。Fewer worries for you, because your application only receives an opaque token from the authentication provider; therefore, a security breach in your application can only expose the token, not the user's Exchange credentials.
OAuth 依赖于第三方身份验证提供程序。OAuth relies on a third-party authentication provider. 这可能会给你的组织或客户带来额外的成本。This can impose additional costs on your organization or your customers.

与基本身份验证相比,OAuth 标准更难实现。The OAuth standard is more difficult to implement than basic authentication.

若要实现 OAuth,您需要将您的应用程序与身份验证提供程序和 Exchange 服务器集成。To implement OAuth, you need to integrate your application with both the authentication provider and the Exchange server.

为了帮助最大限度地降低缺点,可以使用Microsoft AZURE AD 身份验证库(ADAL)对用户进行身份验证,以便在云中或内部部署中对 Active Directory 域服务(AD DS)进行身份验证,然后获取访问令牌以保护对 Exchange 服务器的呼叫。To help minimize the disadvantages, you can use the Microsoft Azure AD Authentication Library (ADAL) to authenticate users to Active Directory Domain Services (AD DS) in the cloud or on-premises and then obtain access tokens for securing calls to an Exchange server. Exchange Online 需要由受 ADAL 支持的 Azure Active Directory 服务颁发的令牌;不过,您可以使用任何第三方库。Exchange Online requires tokens issued by the Azure Active Directory service, which is supported by the ADAL; however, you can use any third-party library.

若要了解有关在 EWS 应用程序中使用 OAuth 身份验证的详细信息,请参阅以下资源:To learn more about using OAuth authentication in your EWS application, see the following resources:

NTLM 身份验证NTLM authentication

NTLM 身份验证仅适用于 Exchange 本地服务器。NTLM authentication is only available for Exchange on-premises servers. 对于在企业防火墙内部运行的应用程序,在 NTLM 身份验证和 .NET Framework 之间集成提供了对应用程序进行身份验证的内置方法。For applications that run inside the corporate firewall, integration between NTLM authentication and the .NET Framework provides a built-in means to authenticate your application.

表2。使用 NTLM 身份验证的优点和缺点Table 2. Advantages and disadvantages of using NTLM authentication

优点Advantages 缺点Disadvantages
与 Exchange 服务器配合使用 "开箱即用"。Works "out of the box" with your Exchange server. 您可以使用Exchange 命令行管理程序 cmdlet配置对 Exchange 服务的访问权限。You can configure access to Exchange services by using an Exchange Management Shell cmdlet.

使用 .NET Framework CredentialCache对象自动获取用户的凭据。Uses the .NET Framework CredentialCache object to automatically get the user's credentials.

可以使用已登录用户的凭据进行本地 Exchange server 身份验证的代码示例Code samples are available that use the logged on user's credentials for authentication to an on-premises Exchange server.
用户必须登录到域才能使用 NTLM 身份验证。Users must be logged on to a domain to use NTLM authentication.

很难访问与用户的域帐户不关联的电子邮件帐户。It can be difficult to access email accounts that are not associated with the user's domain account.

服务应用程序必须具有域帐户才能充分利用 NTLM 身份验证。Service applications must have a domain account to take advantage of NTLM authentication.

基本身份验证Basic authentication

基本身份验证为客户端应用程序提供了一种基本的安全级别。Basic authentication provides a, well, basic level of security for your client application. 我们建议所有新应用程序都使用 NTLM 或 OAuth 协议进行身份验证;但是,在某些情况下,基本身份验证可能是应用程序的正确选择。We do recommend that all new applications use either NTLM or the OAuth protocol for authentication; however, basic authentication can be the correct choice for your application in some circumstances.

表3。使用基本身份验证的优点和缺点Table 3. Advantages and disadvantages of using basic authentication

优点Advantages 缺点Disadvantages
与 Exchange 服务器配合使用 "开箱即用"。Works "out of the box" with your Exchange server. 您可以使用Exchange 命令行管理程序 cmdlet配置对 Exchange 服务的访问权限。You can configure access to Exchange services by using an Exchange Management Shell cmdlet.

Windows 应用程序可以使用已登录用户的默认凭据。Windows applications can use the logged on user's default credentials.

提供了许多代码示例,向您展示了如何使用基本身份验证来调用 EWS。Many code samples are available that show you how to call EWS using basic authentication.
要求您的应用程序收集和存储用户的凭据。Requires your application to collect and store the user's credentials.

如果您希望强制所有用户使用基本身份验证,则必须关闭 NTLM 身份验证。You have to turn off NTLM authentication if you want to force all users to use basic authentication.

如果应用程序中发生安全破坏,它可以向攻击者公开用户的电子邮件地址和密码。If a security breach occurs in your application, it can expose the user's email address and password to the attacker.

您需要确定基本身份验证是否符合组织和客户的安全要求。You need to decide if basic authentication meets the security requirements of your organization and customers. 如果您想要避免大量的设置任务(例如简单的测试或演示应用程序),则基本身份验证可能是正确的选择。Basic authentication can be the right choice if you want to avoid extensive setup tasks, for example for simple test or demonstration applications.

另请参阅See also