Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Receive Connector, which operates Outlook Web App (OWA), is used to enable web access to user email mailboxes. This setting controls whether forms-based login should be used by the OWA web site.
Forms-based login enables a user to enter an Account and Password for the web session. The form stores the username and password information in browser cookies, and enables the user's mailbox server to be located without user participation. The cookies persist throughout the OWA session after which they are destroyed.
Because the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through an application proxy (for example, Internet Security and Acceleration [ISA]), which performs CAC authentication using a proxy-hosted OWA form. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server must have forms-based authentication enabled, and Exchange must have forms-based Authentication disabled.
If forms-based Authentication is enabled on the Exchange Front End server, it is evidence that the application proxy server is either not correctly configured, or it may be missing. |