- How this Article is Organized
- Obtaining the Scripts and Tools for this Article
- Integration – A Historical Perspective
- Pre-Cooking and General Preparation
- Outlook Fat Client a la Carte Recipe
- Outlook Express Messaging Soup Recipe
- OWA Over a Netlet With a DNS Twist Recipe
- OWA Luau with Rewriter Fire Dancing: the 3 o'clock Show
- OWA Luau with Rewriter Hula Dancing: the 6 o'clock Show
- About the Author
- Ordering Sun Documents
- Accessing Sun Documentation Online
Pre-Cooking and General Preparation
Change the authentication scheme from NTLM (Microsoft Windows authentication scheme) to BASIC on the Microsoft Exchange Server.
Set up a test environment which includes Exchange, portal server, and any required clients.
You must have certain patches installed on your portal server before you perform any of the recipes. The patch requirements are different depending on the version of the Sun ONE Portal Server software. See "Obtaining the Required Patches" on page 5.
To Change the Authentication Scheme for Microsoft Exchange:
Launch the Exchange System Manager.
Expand the Exchange server instance.
Expand Exchange Virtual Server.
Right click over Exchange and select Properties.
From the properties window select the Access tab.
Choose the Authentication button from Authentication Settings.
Uncheck Integrated Windows Authentication.
Enter \ (the default, or specify the realm authentication identifier for your configuration) as the domain for Basic Authentication.
From the Control Panel, select Administrative Tools.
Select Internet Services Manager.
Expand the web site icon representing the server instance that Exchange is using.
Expand Default Web Site.
Right click over the Exchange folder and select Properties.
Choose Directory Security Tab.
Under the Anonymous Access and Authentication Control tab, choose Edit.
Select Edit next to Basic authentication.
Select Use Default and then OK.
Deselect Integrated Windows Authentication.
Right click over Exchweb and make the same properties change.
Verify that the scheme has changed by directing an Internet Explorer browser instance to the OWA login page. There are now two user-modifiable fields rather than three. The third field in NTLM is for the domain being authenticated against.
Make sure that the realm is the same for all end user web accessible Exchange components.
The configuration change is necessary from the Exchange System Manager as well as from Internet Information Services (IIS), so that NTLM will not be re-enabled once the system is rebooted. The configuration should be rechecked after a system reboot to make sure NTLM has not been automatically re-enabled.
Setting Up a Test Environment For the Integration
The test environment necessary will depend on the recipe chosen for integration. If the integration is going to be done through the rewriter, for instance, a two-tier portal installation should be set up, preferably with a packet-filtering firewall between the client and the Portal Gateway. The firewall should have two ports open:
When the Gateway is running in HTTP mode (Only during debugging. Refer to the change_gw_mode.xml script that is available with the downloadable scripts and tools)
When the Gateway is running in HTTPs mode
The open mode port should be a different port than what Exchange is running on so that no direct connections can be established between a client outside the firewall and the Exchange server itself. A firewall in a test environment is the best way to avoid unseen network and configuration problems which will show up in production. A separate Exchange box, which is pre-populated with a few test accounts, should also be used in the test environment.
Why Do I Need to Change the Authentication Scheme in Microsoft Exchange?
If you are planning on trying a rewriter recipe for your integration, there are some initial things you should do prior to continuing. First, Microsoft ships out of the box with NTLM authentication enabled. NTLM authentication is a Microsoft proprietary protocol which is not implemented in most reverse proxies, including the Portal Gateway. There are arguments for and against NTLM as being more or less secure than BASIC authentication. Regardless, the NTLM authentication scheme should only be used in a Windows domain1, so it should be disabled for customers accessing OWA from the Internet. This authentication type must be disabled for Microsoft Internet Explorer users accessing the Exchange Server through the Portal Gateway to:
Successfully authenticate to Exchange.
Allow the Gateway to store the BASIC auth credentials so that Exchange access can be done using single sign on (SSO) to the portal server after the first log in
Why Do I Need a Test Environment?
A test environment is useful for many reasons, including trying different recipes and working out any kinks to avoid disrupting service to end users on a production system. A firewall is important for testing the rewriter integration because there are many areas in Exchange 2000 SP3 where the IE browser initiates direct HTTP requests using ActiveX triggered from user-initiated events. Part of the rewriter integration is making sure that these ActiveX requests go back to the Portal Gateway rather than directly to the Exchange Server.