Microsoft KB Archive/282805

= Basic Authentication Box Is Displayed When You Log on to OWA =

Article ID: 282805

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q282805



SYMPTOMS
When you attempt to log on to Microsoft Outlook Web Access (OWA), the following dialog box is displayed:

Site: Server name

Realm: Server Name

User Name:

Password:



CAUSE
This issue can occur if the Basic authentication method is being used to authenticate users. The computer uses Basic authentication if:
 * You used Exchange System Manager to configure Basic authentication as the access method to the mailbox site.
 * You are using security mechanisms. In this case, the issue may be a security or domain issue.



MORE INFORMATION
To find out the settings that are being used on your computer:  Start Exchange System Manager, and then browse to the following location:

\Protocol\HTTP\Exchange Virtual server\Mailbox site

 Right-click the Mailbox site, and then click Properties. Click the Access tab, and then click Authentication.

To verify that the settings in Exchange System Manager are the same as the settings in the Internet Information Service (IIS) Administrator program:
 * 1) Start the IIS Administrator program.
 * 2) Right-click the Exchange Server site, click Properties, and then click Directory Security.
 * 3) Click Enable anonymous access and edit the authentication methods.

The information in the next two sections are found in Microsoft IIS documentation.

Basic Authentication
The Basic authentication method is a widely used, industry-standard method for collecting user name and password information. When you use Basic authentication, your Web browser displays a dialog box where you can enter your previously assigned Windows 2000 account user names and passwords. The Web browser then attempts to establish a connection using this information. (The password is Base64-encoded before it is sent over the network.)

If the server rejects the information, the Web browser repeatedly displays the dialog box until you either enter a valid user name and password or close the dialog box.

When your Web server verifies that the user name and password that you entered corresponds to a valid Windows user account, a connection is established.

The advantage of Basic authentication is that it is part of the Hypertext Transfer Protocol (HTTP) specification, and is supported by most browsers. The disadvantage is that Web browsers that use Basic authentication transmit passwords in an unencrypted form. If a non-user monitors communications on your network, they can easily intercept and decipher these passwords by using publicly available tools. Therefore, Basic authentication is not recommended unless you are confident that the connection between the user and your Web server is secure; direct cable connections or a dedicated lines are secure connections.

Windows Authentication (Formerly Called NTLM or Windows NT Challenge/Response Authentication)
Windows authentication is a secure form of authentication because the user name and password are not sent across the network. When you enable integrated Windows authentication, the user's browser proves its knowledge of the password through a cryptographic exchange with your Web server that involves hashing.

Integrated Windows authentication can use both the Kerberos v5 authentication protocol and its own challenge/response authentication protocol. If Directory Services is installed on the server, and the browser is compatible with the Kerberos v5 authentication protocol, both the Kerberos v5 protocol and the challenge/response protocol are used; otherwise only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000 Distributed Services architecture. For Kerberos v5 authentication to be successful, both the client and server must have a trusted connection to a Key Distribution Center (KDC) and be Directory Services compatible. For more information about the protocol, see the Windows documentation.

When you use integrated Windows authentication, you are not initially prompted for a user name and password. This behavior is different from Basic authentication. The current Windows user information on the client computer is used for the integrated Windows authentication.

Note Microsoft Internet Explorer, version 4.0 and later, can be configured to initially prompt for user information if needed. For more information, see the Internet Explorer documentation.

However, if the authentication exchange initially fails to identify the you, the browser prompts you for a Windows user account user name and password, which it processes by using integrated Windows authentication. Internet Explorer continues to prompt you until the you enter a valid user name and password, or close the prompt dialog box. Although integrated Windows authentication is secure, it does have two limitations:
 * Only Microsoft Internet Explorer, version 2.0 or later, supports this authentication method.
 * Integrated Windows authentication does not work over HTTP Proxy connections.

Therefore, integrated Windows authentication is best suited for an intranet environment where both user and Web server computers are in the same domain, and where administrators can ensure that every user has Microsoft Internet Explorer, version 2.0 or later.

Note Integrated Windows authentication takes precedence over Basic authentication. The browser chooses integrated Windows authentication and attempts to use the current Windows logon information before prompting the user for a user name and password. Currently, only Internet Explorer version 2.0 and later supports integrated Windows authentication.

Additional query words: esm ds XADM

Keywords: kberrmsg kbprb KB282805

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.