EX19-MB-000008 - Exchange must have forms-based authentication enabled.

Information

Identification and Authentication provide the foundation for access control. Access to email services applications in the DOD requires authentication using DOD Public Key Infrastructure (PKI) certificates. Authentication for Outlook Web App (OWA) is used to enable web access to user email mailboxes and should assume that certificate-based authentication has been configured. This setting controls whether forms-based logon should be used by the OWA website.

Because the DOD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through an application proxy or other preauthenticator, which performs CAC authentication prior to arrival at the CA server. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server must have forms-based authentication enabled, and Exchange must have forms-based Authentication disabled.

If forms-based Authentication is enabled on the Exchange CA server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.

Solution

Open the Exchange Management Shell and enter the following command:

Set-OwaVirtualDirectory -Identity <'IdentityName'> -FormsAuthentication $false

Note: <IdentityName> must be in quotes.

Example for the Identity Name: <ServerName>\owa (Default website)

Restart the IIS service.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, CCI|CCI-000068, Rule-ID|SV-259647r960759_rule, STIG-ID|EX19-MB-000008, Vuln-ID|V-259647

Plugin: Windows

Control ID: 55856eb1c1ef03fe1ab254fc7f4148dcc6992acfe3ddebb5ee6534ad1db176f2