When publishing Exchange 2007 Outlook Web Access or Exchange 2010 Outlook Web App with Forefront UAG before SP1, it was possible to define the single sign-on method as HTML Forms. This allowed for the Exchange CAS servers to be configured with Outlook Web Access/App forms based authentication (FBA), and then utilise the HTML Form delegation capabilities of UAG to automatically populate the required username/password form fields based upon the credentials entered into the portal login page. This also made publishing Exchange Outlook Web Access/App easy to coexist with existing Exchange deployments that were already configured to use FBA.
However, although this appears to function correctly, it is not supported by the UAG product group for various integration reasons. Unfortunately, to make things worse, this single sign-on scenario is not (unhelpfully) covered in the UAG Support Boundaries document, so very few people outside of the product group ever realised this was actually an unsupported UAG configuration.
With the advent of UAG SP1, it is no longer possible to configure Exchange Outlook Web Access/App to utilise HTML Forms for single sign-on and basic (401) is now a mandatory option. Consequently, Exchange must be configured to utilise basic authentication and not Outlook Web Access/App FBA when used with UAG publishing.
In the Exchange publishing wizard you will now see no option to choose between 401 and HTML Forms:
Once the wizard is completed, an example of the new Authentication tab can be seen below with the HTML Forms option removed and basic defined as mandatory (unless using KCD):
In the event that you already have an existing Exchange application already configured defined, you will receive the following error in the UAG management console when editing the application:
Hopefully this information is useful for those of you publishing, or looking to publish, Exchange Outlook Web Access/App with Forefront UAG SP1…