How to make more secure Exchange 2019 OWA

Question

How to make more secure Exchange 2019 OWA

Dmitry Horushin 61

Hi,
We are currently using basic authentication / FBA for OWA, but it looks unsecure in the modern world.
What are best practices to secure OWA?

We tested 2 options:

ADFS authentication;
Windows authentication (we were trying to use Kerberos as it's described in the article https://techcommunity.microsoft.com/t5/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/ba-p/347882#:~:text=%20Setting%20up%20Kerberos%20Authentication%20for%20a%20Website,be%20used.%20It%20might%20also%20use...%20More%20. But the last requires to change site's settings and we are not sure how it affects all means of clients' access).

Best regards,
Dmitry Horushin.

Kai Yao 37,786 Reputation points Moderator

2021-06-16T03:08:49.477+00:00

Hi @Dmitry Horushin

I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.

Answer accepted by question author

3 additional answers

Your answer

Kai Yao 37,786 Reputation points Moderator

2021-06-16T03:08:49.477+00:00

Hi @Dmitry Horushin

I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.

Answer 1

Andy David - MVP 160.2K MVP Volunteer Moderator

I would use App Proxy for that:
https://thesleepyadmins.com/2019/02/10/configure-mfa-for-azure-application-proxy/

0 comments

Answer 2

Andy David - MVP 160.2K MVP Volunteer Moderator

I would integrate with ADFS ( and use a MFA solution as well)

Dmitry Horushin 61 Reputation points

2021-05-29T16:58:25.643+00:00

Hi, Andy.
Thank you for sharing your opinion. I appreciate it.
Regards,
Dmitry Horushin
Kai Yao 37,786 Reputation points Moderator

2021-06-03T05:12:26.197+00:00

Hi Dmitry.

I am writing here to confirm with you how thing going now?
If you have any questions or needed further help on this issue, please feel free to post back.

Answer 3

Andy David - MVP 160.2K MVP Volunteer Moderator

Sounds like you need to setup Azure Modern Auth instead:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

Dmitry Horushin 61 Reputation points

2021-06-07T12:28:27.11+00:00

Hi,
You see, in the article https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide there are prerequisites:
...
Note
Outlook Web App and Exchange Control Panel does not work with hybrid Modern Authentication.
...

Outlook for Windows works fine by using a modern authentication, but we miss the same advantage for OWA on-premises.

Regards,
Dmitry Horushin

Answer 4

Dmitry Horushin 61

Hi
Thank you.
My superior wants to test a configuration with Kerberos authentication when requests of external OWA users are accepted by Azure based proxy servers. He believes that this configuration is easy to configure and maintain that a configuration with ADFS and MFA. But we miss a documentation how to set up OWA with Kerberos.

Our further steps:

set up an Azure proxy for external users;
set up a second Exchange 2019 server to see how it works with load balancer;
install the next Exchange 2019 CU and test how it affects the configuration.

If you can help to find Microsoft recommendations/best practices how to secure Exchange OWA on-premises, it will be wonderful.
Best regards,
Dmitry Horushin.

Kai Yao 37,786 Reputation points Moderator

2021-06-07T08:48:40.743+00:00

Hi,

Here is a link by Microsoft on setting ADFS for OWA for your reference:
Use AD FS claims-based authentication with Outlook on the web

Share via

How to make more secure Exchange 2019 OWA

3 additional answers

Your answer