Disable Basic Auth on Exchange 2016?

[Jonathan Raper]

So, this is a 2016 hybrid configuration with all mailboxes in 365. Still have mailbox, hub transport, and CAS, but all of those are running  Ex 2010 (they are soon to go).

Security people are saying Basic Auth needs to be disabled. We’re not worrying with Ex2010, since it is going away. However…. Basic Auth is enabled on some of the virtual directories on the 2016 servers, which are not going away, as they are needed for management and SMTP relay.

From what I can tell, it seems that MSFT has addressed this for Ex2019, but I’m not finding much on how to properly deal with this for Ex2016.

Autodiscover: Windows Authentication and Basic Auth are both checked

ECP & OWA: the FBA radio button is selected, however under the “standard authentication” radio button, Integrated Windows Authentication and Basic Authentication are both checked

I’m new to the environment, so I do not yet know where their Autodiscover DNS records point (or any other records for that matter)

Any guidance would be appreciated….

Thanks,

Jonboy

Get Outlook for iOS

[Michael B. Smith]

You can turn off basic auth just by turning off basic auth, and if you are fully migrated to O365, it probably won’t break anything.

 

But if you have resources on-prem, it’ll probably break things.

 

I think you may be confusing hybrid modern auth vs. legacy auth vs. basic auth.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/SJ0PR16MB46038A00AD27F039AF678F28A9629%40SJ0PR16MB4603.namprd16.prod.outlook.com.

[Jonathan Raper]

 Thanks for the reply.

Honestly, all I have is a note from the security team to “disable / ensure that Basic Auth is disabled on Exchange”. I’ve already looked at this for Exchange Online and have a plan to deal with it. When I asked if this was just a concern for Exchange Online or both Exchange Online and On-Prem, I got the expected response of “both”. Me and my big mouth 😂 I do realize this is in part being driven by the need to check a box, as Exchange on-prem is (hopefully) no longer exposed to the internet, but, I digress.

As for Exchange on-prem, we will soon just be down to two 2016 hybrid servers for the purpose of management and SMTP relay.

When I look at Autodiscover, that is straightforward enough, but when I look at both  ECP and OWA, they show this:

Authentication: Basic, FBA

But when I go into the settings for them in EAC, I see that the FBA radio button is selected, but there is still a check mark next to Basic Auth under “standard authentication methods”. (Images attached). None of the other options are selected.

Do I select the other radio button long enough to deselect Basic Auth and then re-select FBA? Is that even possible?

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> on behalf of Michael B. Smith <mic...@smithcons.com>
Sent: Wednesday, August 10, 2022 10:29:46 AM
To: ntexc...@googlegroups.com <ntexc...@googlegroups.com>
Subject: [ntexchange] RE: Disable Basic Auth on Exchange 2016?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/6e53441f971e4a96b7f83df366ffc72b%40smithcons.com.

[Michael B. Smith]

You probably need to switch to IWA.

 

FBA uses basic auth encapsulated in a TLS tunnel.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/SJ0PR16MB46034B3F2C0322957A38FC9DA9659%40SJ0PR16MB4603.namprd16.prod.outlook.com.