Within the Microsoft Exchange configuration you’ll see that there is an InternalURL and ExternalURL attribute for each of the key Microsoft Exchange Web Services, e.g. OWA, ECP, ActiveSync etc. Personally i’ve never really used these when they are different, but what it allows is for your internal and external URLs to access the services to be different which they might need to be.
- Internal URL: The URL that’s used to access Outlook on the web from the internal network. This value is configured automatically during Exchange Server setup, and the default value is https:// _<Server FQDN>_/owa (for example, https://mailbox01.contoso.com/owa).
- External URL: The URL that’s used to access Outlook on the web from the Internet. The default value is blank.
For Internet-facing Exchange servers, this is the value that clients use to access Outlook on the web. To configure this setting, see the Use the EAC to configure the external URL for Outlook on the web section in this topic.
Typically i’ve only ever had a single way into exchange (i.e. a single unified namespace email.domain.com, irrespective of if you are internal or external), however if you had for example email.domain.com when off-site and email.internal.domain.com when on-site this means Exchange can determine “where” the client is coming from and present different authentication methods accordingly.
For example, let’s say your external presentation uses email.domain.com and uses a load balancer, that load balancer provides its own Form based authentication page, which then passes the authentication request onto at the back-end Exchange server.
Then the internal presentation uses emailserver01.internal.domain.com and doesn’t use a load balancer.
Using OWA as an example, if we didn’t have two URLs (zones) internal and external, then we couldn’t represent the two names, and following on from that we’d not be able to specify the internalauthenticationmethod and externalauthenticationmethods which might be different.
So, internally perhaps users access via Form Based Authentication (FBA) directly to the Exchange Server with the URL: emailserver01.internal.domain.com, which we’d want to have the InternalAuthenticationMethod of “FBA” configured, while those externally accessing OWA with the URL: email.domain.com do so via the Load Balancer, the load balancer in this case is performing the authentication on the behalf of the Exchange server and provides its own logon page, in which case the Exchange server needs to be able to determine from where the request is coming from and it uses the External/Internal URL for that. Then in the case of the ExternalAuthenticationMethods this is what is used when the request is coming through the external URL, so expects perhaps the “Plain Authentication” or “NTLM” authentication types to be used, because the Load Balancer is doing the authentication itself. You’d not want internal clients to get these authentication methods though, because it looks ugly compared to the FBA.
https://msexchangeguru.com/2017/08/08/exchange-2016-outlook-on-the-web/
Configuration Examples
You can also make the change via PowerShell, which may be easier, firstly identify what the current settings are with:
Get-OwaVirtualDirectory | Format-List Id,InternalUrl,ExternalUrl,InternalAuthenticationMethods,ExternalAuthenticationMethods
Get-EcpVirtualDirectory | Format-List Id,InternalUrl,ExternalUrl,InternalAuthenticationMethods,ExternalAuthenticationMethodsThis will output the specific settings for all the Exchange Servers present, for example:
...(additonal output removed)...
Id : SERVER1\owa (Default Web Site)
InternalUrl : https://email.domain.com/owa
ExternalUrl : https://email.domain.com/owa
InternalAuthenticationMethods : {Fba}
ExternalAuthenticationMethods : {Fba}
...(additonal output removed)...So in this case we want to change the “InternalAuthenticationMethod” to Ntlm,WindowsIntegrated instead, this needs to be done for both OWA and ECP.
Set-OwaVirtualDirectory -Identity "SERVER1\owa (Default Web Site)" -InternalAuthenticationMethods Ntlm,WindowsIntegrated
Set-EcpVirtualDirectory -Identity "SERVER1\owa (Default Web Site)" -InternalAuthenticationMethods Ntlm,WindowsIntegratedUpdate (12/11/2023): The “InternalAuthenticationMethods” argument appears to have been deprecated, I can no longer find any information about its usage. https://learn.microsoft.com/en-us/powershell/module/exchange/set-owavirtualdirectory?view=exchange-ps only now shows ExternalAuthenticationMethods as being available.
Once done check with:
Get-OwaVirtualDirectory -Server SERVER1 | Format-List Id,InternalUrl,ExternalUrl,InternalAuthenticationMethods,ExternalAuthenticationMethodsAnd you should see an output like:
Id : SERVER1\owa (Default Web Site)
InternalUrl : https://email.domain.com/owa
ExternalUrl : https://email.domain.com/owa
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}Now stop and restart the services on the Exchange server as instructed.
Note that you’ll need to manually restart the WAS service and listeners yourself on the Exchange Server for these settings to take effect.
net stop was /y
net start w3svcEnsure all the relevant services that are set to “Automatic” are “Started”.
You might also want to manually start the Net Listener services too, in fact you are advised to.
At this point you’ll find that any connection to this server for OWA or ECP will now need Kerberos, KCD or for the user to manually enter their password into the plain credentials box.
If you need to revert, its basically reinstating the settings on each server:
Set-OwaVirtualDirectory -Identity "SERVER1\owa (Default Web Site)" -InternalAuthenticationMethods Fba
Set-EcpVirtualDirectory -Identity "SERVER1\owa (Default Web Site)" -InternalAuthenticationMethods FbaUpdate (12/11/2023): The “InternalAuthenticationMethods” argument appears to have been deprecated, I can no longer find any information about its usage. https://learn.microsoft.com/en-us/powershell/module/exchange/set-owavirtualdirectory?view=exchange-ps only now shows ExternalAuthenticationMethods as being available.
Then issuing a stop and start of the web services as shown above for the change to take effect.
Hi, how could you set up InternalAuthenticationMethods? They are not chooseable, there is no parameter named InternalAuthenticationMethods.
I put a pic where we can hit ctrl+space and see what params we have in the session
https://paste.pics/PUSB6
So these commands won’t work:
Set-OwaVirtualDirectory -Identity “SERVER1\owa (Default Web Site)” -InternalAuthenticationMethods Fba
Set-EcpVirtualDirectory -Identity “SERVER1\owa (Default Web Site)” -InternalAuthenticationMethods Fba
You are indeed correct, from what I can see the “InternalAuthenticationMethods” argument appears to have been deprecated, I can no longer find any information about its usage. https://learn.microsoft.com/en-us/powershell/module/exchange/set-owavirtualdirectory?view=exchange-ps the page only now shows ExternalAuthenticationMethods as being available.
You can set the ExternalAuthenticationMethods from PowerShell, and the EAC web interface is now also showing the same where there is only the “Authentication” tab and doesn’t specify which you are configuring, so I assume it is only the External methods; it is possible they have been unified, but I don’t currently have a test environment in which I can confirm this.