FE-BE authentication Core 내용

By default, HTTP virtual servers on the back end are configured to allow both basic authentication and Integrated Windows Authentication. You should use this default configuration.

Basic authentication passes the user name and password across the network in a lightly encoded (not encrypted) format. Integrated Windows Authentication refers to a package of authentication mechanisms (such as NTLM and Kerberos) that are more secure and that do not send the password across the network in clear text.

When the front-end HTTP virtual servers authenticate requests, authentication information is requested from the user. The user sends authentication information to the front-end server, which authenticates the user and then passes the information to the back-end server. The back-end server then authenticates the user, but it does not need to request authentication information from the user again.

·      Exchange 2000 front-end servers will use basic authentication to the back-end server for HTTP access

·      Exchange 2003 front-end servers will use integrated authentication to the back-end server for HTTP access

Only Internet Explorer supports Integrated Windows Authentication directly against a back-end server.

Kerberos Authentication

New for Exchange Server 2003 is the ability for the Exchange front-end server to use Kerberos authentication for HTTP sessions between the front-end and its respective back-end servers. While the authentication is now using Kerberos, the session is still being sent using clear text. Therefore, if the network is public or the data is sensitive, it is recommended that you use Internet Protocol security (IPSec) to secure all communication between the Exchange front-end and back-end servers.

Client to Front-end Server Authentication

Note

Front-end servers do not support integrated Windows authentication (which includes both NTLM and Kerberos authentication) or HTTP 1.1 Digest authentication.

Basic Authentication

Basic authentication does not support single sign on. Single sign on is when a user logs on to a computer that is running Windows, the user authenticates against a domain, and then the user can access all resources and applications in the domain without re-entering their credentials. Microsoft Internet Explorer versions 4.0 and later allow single sign on for Web applications, including Outlook Web Access, if the server being accessed has Integrated Windows authentication enabled. Because front-end servers do not support Integrated Windows authentication, when users access HTTP applications, the front-end server always prompts them for authentication and they must re-enter their credentials, even if they already used Windows to log on. Users only have to enter credentials once per browser session however, because their credentials are cached in the browser process.

Forms-Based Authentication

Note

Forms-based authentication is supported only by Exchange Server 2003. However, you can use an Exchange2003 Server front-end with an Exchange2000 Server back-end and benefit from forms-based authentication.

Forms-based authentication uses a cookie to identify the user when the user has done the initial logon. Tracking this use of this cookie allows Exchange to time out inactive sessions. However, the initial user's name and password is still transmitted in clear text, similar to basic authentication. This is why SSL encryption must be used with forms-based authentication

Front-End to Back-End Authentication

The front-end server must send user credentials to the back-end server along with the Web requests so the back-end server can allow access to the data.

Integrated Authentication

Exchange 2003 front-end servers will use Kerberos authentication to protect user credentials between the front-end and back-end servers. If Kerberos authentication fails, a warning event will be logged and the front-end will try NTLM instead. If NTLM fails, an error will be logged and basic authentication will be used.

To allow the front-end to use integrated authentication, the back-end virtual servers should be configured to allow integrated authentication (which they are by default).

Note

Both Exchange 2003 and Exchange 2000 back-end servers will support integrated authentication from an Exchange 2003 front-end server.

Basic Authentication

The front-end proxies the basic authentication credentials to the back-end servers. To secure this information, it is highly recommended that IPSec be used between the front-end and back-end servers.

Note

Basic authentication between the front-end and back-end servers is supported by both Exchange 2000 and Exchange 2003 front-end servers.