Exchange 2013 : Default virtual directories settings.

In this post I’m going to list default settings of Exchange 2013 virtual directories.

  1. Virtual Directories default settings
  2. Common configurationtasks and descriptions
    • InternalURL
    • ExternalURL
    • Authentication settings
  3. Password type description
  4. Directories available in Exchange admin center (EAC)
    • Available in: Default Web site
    • Available in: Exchange Back End
  5. Password type description
    • Integrated Windows authentication
    • Digest authentication for Windows domain servers
    • Basic authentication
    • Forms-based authentication
  6. Virtual Directories listed in Exchange Admin Center (EAC)

The post will include listings of each virtual directory using Exchange (EAC- GUI), Echange Management Console (EMC – PowerShell) and IIS listings of directories.

Virtual Directories default settings:

They can all be setup with basic settings using the Exchange admin center (EAC) and more indepth configuraiton using the Exchange Management Shell (EMS). Aside from settings configured using the EAC and EMS, there are settings you have to go through IIS to manage.

In order to actually setting up the virtual directories using PowerShell, you can read a post I wrote about it here:
Exchange 2010/13 Setup all virtual directories

First of all, you find your Virtual Directories by browsing to: https:/<servername>/ecp/

Navigate to servers -> virtual directories Here you will find the following Virtual Directories:

Virtual directory Default IIS Authentication methods SSL settings
Default authentication methods
Exchange Admin Center (EAC)
AuthenticationMethods
Exchange Management Shell
(EMS)
Sites \ Default Web Site As shown in Internet Information Services (IIS) Manager  Available through EAC  Internal  External
Autodiscover • Anonymous authentication
• Basic authentication
• Windows authentication
 • SSL required • Integrated Windows authentication
• Basic authentication
Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth
ECP (Exchange Control Panel) • Anonymous authentication
• Basic authentication
 • SSL required • Use-forms-based authentication  Basic, Fba  Fba
EWS (Exchange Web Services) • Anonymous authentication
• Basic authentication
 • SSL required • Integrated Windows authentication Ntlm, WindowsIntegrated, WSSecurity, OAuth Ntlm, WindowsIntegrated, WSSecurity, OAuth
Mapi  • Windows authentication  • SSL required  Not available in EAC Ntlm, OAuth, Negotiate Not configured
Microsoft-Server-Active-Sync • Basic authentication  • SSL required • Basic authentication
• Ignore client certificate
Not set *
All methods can be used.
Not set *
All methods can be used.
OAB (Offline Address Book) • Windows authentication None available WindowsIntegrated, OAuth WindowsIntegrated, OAuth
OWA (Outlook Web App) • Basic authentication • SSL required  • Use-forms-based authentication
• Domain\user name
 Basic, Fba  Basic, Fba
OWA\Calendar • Anonymous authentication • Ignore client certificates None available
OWA\Integrated • Windows authentication • SSL required
• Ignore client certificates
None available
OWA\oma (Outlook Mobile Access) • Basic authentication • Ignore client certificates None available
PowerShell • Windows authentication • Not Required  None set  {}  {}
* The InternalAuthenticationMethods/ExternalAuthenticationMethods  parameter specifies the authentication methods supported by the server that contains the virtual directory when access is requested from inside the network firewall. If this parameter isn’t set, all authentication methods can be used.

Aside from the above listed Virtual Directories, which you can find in the EAC, you also have the following directories to manage through IIS or EMS:

Virtual directory Authentication method SSL settings Management method
Default Website • Anonymous authentication • SSL required IIS Management Console*
This virtual directory can’t be configured by the user*
aspnet_client • Anonymous authentication • SSL required IIS management console
Rpc • Basic authentication
• Windows authentication
• SSL required Exchange Management Shell (EMS)
* Indicates difference between multirole and Mailbox role server. You can’t configure this if the server only has the Mailbox role

An important thing to note is that all of the above is listed as the Default Website in Internet Information Services (IIS) Manager, where we also can find the Exchange Back End which is seperately managed with independent settings.

At the Exchange Back End we find:

Virtual directory IIS Default Authentication methods IIS SSL settings
Autodiscover • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
 ecp • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
 EWS • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
 Exchange* • SSL required
• Ignore client certificates
 Exchweb* • SSL required
• Ignore client certificates
 mapi* • Anonymous authentication • SSL required
• Ignore client certificates
 Microsoft-Server-ActiveSync • Basic authentication • SSL required
• Ignore client certificates
 OAB • Windows authentication • SSL required
• Ignore client certificates
owa • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
owa\Calender • Anonymous authentication • Ignore client certificates
 PowerShell • Windows authentication  • SSL required
• Accept client certificates
Public* • SSL required
• Ignore client certificates
 PushNotifications • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
 Rpc • Windows authentication • Ignore client certificates
 RpcWithCert • Windows authentication • Ignore client certificates

Common configurationtasks and descriptions

The most common tasks when configuring these Virtual Directories are configuring Authentication settings and the InternalURL and ExternalURL.

InternalURL The InternalURL is the URL that internal clients can use to access the virtual directory. It is usually in the format https://servername/Microsoft-Server-ActiveSync.

ExternalURL The ExternalURL is the URL that external clients can use to access the virtual directory. This URL should be accessible from outside your internal network. For example, your ExternalURL could be https://www.contoso.com/.

Authentication settings You can usually choose one or more ways to authenticate users when trying to access virtual directories: Basic, NTML, Integrated Windows, OAuth

Password type description

Integrated Windows authentication \ Windows authentication
This method requires that users have a valid Windows Server 2008 or Windows Server 2012 user account name and password to access information. Users aren’t prompted for their account names and passwords. Instead, the server negotiates with the Windows security packages installed on the client computer. Integrated Windows authentication enables the server to authenticate users without prompting them for information and without transmitting information that isn’t encrypted over the network.

For this method to work, the client computer must be a member of the same domain as the servers running Exchange, or of a domain that’s trusted by the domain that the Exchange server is in.

Digest authentication for Windows domain servers (password is hashed – you should use SSL)
This method transmits passwords over the network as a hash value for additional security. Digest authentication can be used only in Windows Server 2008 and Windows Server 2012 domains for users who have an account that’s stored in Active Directory.

SSL and Transport Layer Security (TLS) are often used to protect Digest Authentication from an offline attack against the Digest Authentication challenge/response.

Digest Authentication offers single sign-on only to a single Web URL protection space. If users navigate to a different Web site, or even to a different server in the same site, they will usually be prompted to enter credentials Again.

For more information: What is Digest Authentication

Basic authentication (password is sent in clear text – you should use SSL)
This method is a simple authentication mechanism defined by the HTTP specification that encodes a user’s sign-in name and password before the user’s credentials are sent to the server. Exchange/Outlook will prompt for username and password while attempting a connection with Exchange.

To make sure that the password is as secure as possible, you should use Secure Sockets Layer (SSL) encryption between client computers and the server that has the Client Access server role installed.

Forms-based authentication (Fba)
Forms-based authentication provides enhanced security for Outlook Web App virtual directories (most commonly: OWA, ECP).

Forms-based authentication creates a sign-in page for Outlook Web App. You can configure the type of sign-in prompt used by forms-based authentication. For example, you can configure forms-based authentication to require users to provide their domain and user name information, in the domain\user name format or configure it to accepting users UPN name in the format name@domain –  on the Outlook Web App sign-in page.

Note: UPN is not automatically equal to a users email adress.

Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.

NTLM authentication credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user’s password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

Read more: Microsoft NTLM

Virtual Directories listed in Exchange Admin Center (EAC)

Navigate to https://<servername>/ecp to find the Exchange Admin Center (EAC). Click Servers and virtual directories. Here you can see you virtual directories, the name, server, type, version, last modified and a short overview in the right hand side. In order to configure the settings for each virtual directory, you click a virtual directory and click the small pencil icon, or double-click the virtual directory.

01-overview

  • Autodiscover overview
    02-overview
  • Autodiscover general:
    02-autodiscover
  • Autodiscover authentication
    03-audiscover
  • ECP Overview (Exchange Control Panel)
    03-overview
  • ECP general
    04-ecp
  • ECP authentication
    05-ecp
  • EWS overview (Exchange Web Services)
    04-overview
    EWS general
    06-ews
  • EWS authentication
    07-ews
  • Microsoft-Server-ActiveSync overview
    05-overview
  • Microsoft-Server-ActiveSync general
    08-activesync
  • Microsoft-Server-ActiveSync authentication
    09-activesync
  • OAB overview (Offline Address Book)
    06-overview
  • OAB configuration
    10-oab
  • OWA overview (Outlook Web Apps)
    07-overview
  • OWA general
    11-owa
  • OWA authentication
    12-owa
  • PowerShell overview
    08-overview
  • PowerShell general
    13-powershell
  • PowerShell authentication
    14-powershell
Posted in Exchange 2013, Installing, Powershell, Setup, Troubleshooting

Leave a Reply