Tuesday, February 8, 2011

How to configure Form Based Authentication in the same time for internal accessing the Exchange server directly and external users accessing the server via Forefront TMG

I answered a question today regarding the fact that when you publish an Exchange server via Forefront TMG and you want to have Form Based Authentication (FBA) for the external users, you have to disable it for the internal users.

Publishing OWA within TMG with FBA requires you to enable Basic Authentication for the owa (Default Web Site) virtual directory in Exchange and disable FBA .
If you don’t do that, when authenticating from outside your network you will be required to authenticate twice, once on TMG and another time on the Exchange Server.

In order to have Form Based Authentication in the same time for your internal and external users you have to create a new web site on the Exchange Server and create a new OWA virtual directory there.

The steps are:
1. Create a new Web site within your IIS management interface


2. Configure the new web site considering the followings:
- The IP address and port combination should be unique
- Create a folder for the Physical path and assign to the Local Service and the Network service read rights for that location
- Remember the site name because you will need it later

3. Verify that the new web site was created and it’s running


4. In Exchange Powershell console run the command New-OwaVirtualDirectory -WebSiteName "Internal OWA"

5. Create the corresponding ECP virtual directory by running the command New-ECPVirtualDirectory -WebSiteName "Internal OWA"

6. Configure the newly created OWA and ECP virtual directory for FBA authentication using the following cmdlets:
- set-OwaVirtualDirectory -Identity "owa (Internal OWA)" -FormsAuthentication $true
- set-ECPVirtualDirectory -Identity "ecp (Internal OWA)" -FormsAuthentication $true

7. Restart the IIS by running in elevated command promt the command iisreset /noforce

8. Instruct the internal users to access the newly created virtual directory


  1. thanks for this post. I too am trying to get Forms Based working on the inside and ouside with TMG.
    I can see what you are doing but dont you need DNS settings adjusted as well? add IP's?
    can you explain that side of the workings possibly?

    1. It depends. The best idea would be to use a split DNS in order to have the same links for internal as well as for external users. You can find more details here http://www.isaserver.org/tutorials/you_need_to_create_a_split_dns.html