Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Form Based Authentication for MS Exchange 2003. Benefits
Prev Next
You are not authorized to post a reply.

AuthorMessages
rezumaUser is Offline

Posts:83

09/24/2008 2:26 PM  
I have always been using FBA with OWA for "security" reasons, I was
always suggested to do that by the Exchange gurus.

Can someone be more specific about how is FBA more secure than the
default authentication, other than not letting the user remember the
password?



Or point me to a url with the info?



Thanks in advance.



Ramon


michael1User is Offline

Posts:181

09/24/2008 2:26 PM  
1] Can't save username/password (without a browser plugin)



2] Can customize the look and feel of the login page



3] Choice between public/private timeouts (cookie-based)



4] Choice between premium and basic client



5] Log-off doesn't require browser restart



Off the top of my head.



Regards,



Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP

My blog: http://TheEssentialExchange.com/blogs/michael

Link with me at: http://www.linkedin.com/in/theessentialexchange



From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Wednesday, September 17, 2008 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Form Based Authentication for MS Exchange 2003.
Benefits



I have always been using FBA with OWA for "security" reasons, I was always
suggested to do that by the Exchange gurus.

Can someone be more specific about how is FBA more secure than the default
authentication, other than not letting the user remember the password?



Or point me to a url with the info?



Thanks in advance.



Ramon


joeUser is Offline

Posts:77

09/24/2008 2:26 PM  
That's not really accurate. In HTTP auth (Basic/Digest/Integrated), only
Basic provides credentials in plaintext.

I would argue that OWA is always more secure with SSL because all the data
is encrypted, but the authentication itself is not at tremendous risk with
HTTP auth unless you use Basic. There are certain attacks on NTLM that
suggest that it might be too weak to use without SSL as well, but it still
isn't providing credentials in plaintext.

OWA with FBA MUST be used with SSL to be secure because it does provide
plaintext credentials during login and the cookie is subject to
snooping/replay attacks.

I'm not sure what, if anything, FBA itself provides as a security advantage
if you factor out the SSL component.

All FBA auth mechanisms are subject to phishing attacks. An attacker can
replicate the look and feel of your auth page and try to lure your users to
their site, where they then collect their credentials. I look forward to
CardSpace login to replace all this stuff and help address this weakness.

Joe K.

----- Original Message -----
From: "Roelf Zomerman" <roelf.zomerman@avanade.com>
To: <ActiveDir@mail.activedir.org>
Sent: Wednesday, September 17, 2008 8:24 AM
Subject: RE: [ActiveDir] Form Based Authentication for MS Exchange 2003.
Benefits


|The point is that the FBA is already within an SSL connection.. so
user/pass that is sent is already encrypted with the SSL certificate.. if
you do not use FBA you give your username/password over an unencrypted
connection before OWA starts the SSL session.. alothough if you do not use
basic authentication, the encryption method for user/pass over the
connection is pretty easy to hack.. basically.. FBA is safer because you
encrypt ALL data sent over the line before a user has even authenticated..

Roelf

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Wednesday, September 17, 2008 3:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Form Based Authentication for MS Exchange 2003.
Benefits

I have always been using FBA with OWA for "security" reasons, I was always
suggested to do that by the Exchange gurus.
Can someone be more specific about how is FBA more secure than the default
authentication, other than not letting the user remember the password?

Or point me to a url with the info?

Thanks in advance.

Ramon

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Form Based Authentication for MS Exchange 2003. Benefits



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:rwrabinowitz
New TodayNew Today:2
New YesterdayNew Yesterday:0
User CountOverall:4273
People OnlinePeople Online:
VisitorsVisitors:267
MembersMembers:0
TotalTotal:267
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use