A Reason To Use Preauthentication with Exchange

Those that are really paranoid about security (and I don't mean that in a bad way) have always like the idea of pre-authentication in a reverse proxy for Exchange server. When you implement pre-authentication at the reverse proxy, only requests from authenticated users ever get to the Exchange server.

This sounds great, but I think from a practical perspective, it doesn't buy you much. It also adds significant complexity. Even with vendor support, getting pre-authentication going always seems to be a hassle.

Now, if you want to implement two factor authentication for Outlook on the web/OWA, then pre-authentication is a good point to do that. Most vendors have support for adding two factor authentication. For my customers, this is seldom a concern.

Recently though I ran into an issue with account lockouts caused by repeated password attacks on OWA. In this case, the user account is locked and the user can't work. There is no simple solution for this without pre-authentication. Disabling OWA for the user doesn't prevent the failed authentication and the account lockouts. In complex environments with directory synchronization, changing a user logon name could break all sorts of things.

Most pre-authentication solutions allow you to lock out accounts at the reverse proxy before you hit the limits for account lockout in Active Directory. The net effect is that OWA is locked but the user can continue to work internally.

Now you need to think about whether that password attack is likely to happen.

UPDATE:
As an alternative to pre-authentication, you can also look at preventing automated sign in attempts. One way to do this is with a captcha on the OWA login page. Here are a few links on how to do this with free captcha software available from Google. This authentication is spoofable of the attacker builds their own login page to send the authentication requests, but they'd need to be pretty motivated.

• Exchange 2010 captcha - http://blog.leederbyshire.com/2012/10/11/adding-recaptcha-validation-to-your-outlook-web-app-2010-forms-based-authentication-logon-page/
• Exchange 2010 checkbox only - http://blog.leederbyshire.com/2015/03/09/adding-no-captcha-recaptcha-validation-to-your-outlook-web-app-forms-based-authentication-logon-page/
• Exchange 2013 checkbox only - http://blog.leederbyshire.com/2013/01/17/adding-recaptcha-validation-to-your-microsoft-exchange-2013-outlook-web-app-forms-based-authentication-logon-page/

Another alternative that implements a captcha and also does much more is OWA Guard from Messageware. I haven't had a chance to install the trial yet, but it looks like a good product with the ability to do geo-blocking and OWA specific lockouts that will prevent denial of service for AD accounts when a password attack is being performed on OWA.

• http://www.messageware.com/products/owaguard/