Forum Discussion

wandarah's avatar
wandarah
Level 5
14 years ago
Solved

Basic Authentication

Turning off basic authentication on the EV VD's - I know that'd break external access to AE and Search Archive functionality (for exchange 2010, and I'm assuming the same for 2003 - or does it proxy those requests?)

 

What else would it break? Assuming all clients and exchange servers are trusted hosts. I'm not sure of all the Exchange configs in the environment, but I'm assuming if they're not using IWA between them, it'd break any retrival process too...

  • A fix has been found after some excellent work by a client resource - 

    The line add name="BasicAuthenticationModule" lockItem="true" /> has to be above <add name="WindowsAuthenticationModule" lockItem="true" /> in the applicationhost.config file. 

     

    If it is the other way around, Basic will supercede IWA regardless of what the client wants. 

  • I guess the question is ....why would you want to? It'll break any page where the user is not on a domain (macs/Linux/remote etc) that tries to call anything in in the webapp directory
  • Yep. 

    Ah, client just has an issue connecting to a particular EV server (it prompts). Just one particular server with users using IE6 (yes I am aware it isnt 'supported'), not just EV VD's, but any call to IIS on the server. Webconfig is exactly the same as the server against which the client doesnt prompt. Users of IE6 on the same PC, in the same domain etc can access a different server fine. 

    It's just so odd is all, I've not seen the behaviour ever before - it's now at the point of them asking 'what happens if we turn of 'basic' (basic seems to be trumping IWA). 

     

    I was under the impression though that it won't break recalls/retrives via OWA (or at least, not in 2003)?

  • Well the thing is, it's not the web server that dictates what authentication will be used, it's the client such as IE or Firefox etc that has to send the request, so most requests should be Negotiate, which the server is polled for what authentication methods are supported In this case it sounds like IE may have been "locked" down so that it does not do automatic authentication, this will most likely be set in the trusted/intranet zones where automatic login is configured under security
  • I know, but nope - same client works against differnet EV server in same site. 

  • Yeah but it depends on how the browser treats it, so if serverA is in the intranet zone and serverB isn't, then serverB will prompted for the un/pw and serverA will be automatically authenticated
  • A fix has been found after some excellent work by a client resource - 

    The line add name="BasicAuthenticationModule" lockItem="true" /> has to be above <add name="WindowsAuthenticationModule" lockItem="true" /> in the applicationhost.config file. 

     

    If it is the other way around, Basic will supercede IWA regardless of what the client wants.