This article is intended for a Server Administrator.

It includes the technical steps required to deploy OWA module when running a 2010/2013/2016 Exchange Server.

Latest update: February 3, 2016.

Current signOWA version: 10.0.0.1


On This Page:

  • Overview OWA module
  • Deploying to OWA/Exchange Server
  • Configuring Exchange Server 2010/2013 in OWA module
    • Installing OWA files
    • Setting up security for Exchange Server
      • Basic Authentication
      • Integrated Windows Authorization
      • Forms Based Authorization
      • Using encryption for OWAuid and OWApwd values

      • Setting account rights for the account running signOWA.exe

  • Creating and setting up rights for a user for Exchange 2010/2013/2016

  • Checking site authentication in Exchange 2010/2013/2016

  • Troubleshooting Exchange 2010/2013/2016


OWA module overview


You are already familiar with the basic setup and the backend database. The backend database contains the final signatures to be deployed to OWA. These signatures are updated each time sign.exe is run, as they are stored in the settings database.
In order to pull out the signatures from the backend database and deploy them to OWA environment, a signOWA.exe file is used. Unlike sign.exe, the signOWA.exe does not run each time the users log on. SignOWA.exe runs from a server in your network as a scheduled task. It can be any server within your network running a Windows Server 2000, 2003 or 2008, 2012 with the latest Service Pack applied. SignOWA.exe is then set up to run as a scheduled task that deploys signatures to OWA at a set time, e.g. once a day at 1 am.


Deploying email signatures to OWA/Exchange Server


To set up OWA module, proceed as follows:

  1. Configure OWA in: Admin console --> Modules--> Outlook Web.
  2. Install OWA module on a server (other than the Exchange server) and create registry entries, on the server where signOWA.exe will be running.
  3. Set up security permissions to access the Exchange server and fill in required information into the registry.
    The process is different depending on the authentication method used by your server.
  4. If using a single user to run signOWA.exe, set up account rights for this user.
  5. Test signatures on a few OWA users.
  6. Set up signOWA.exe as a scheduled task and then deploy.
Each of the steps is described in the following sections.

Configuring OWA module for Exchange Server 2010/2013/2016

In order to administer the OWA settings, first you must enable the OWA module.
If you have entered a valid license for the OWA module, the module will be enabled.
If the OWA module is not enabled, please obtain a valid license key.

To configure the OWA module, proceed as follows:


  1. Admin console --> Modules--> Configuration

    The Basic Configuration window appears. The first time you open the Configuration window it will show dummy sample settings.
    These must be changed in order for OWA deployment to work.


  2. Select the Exchange Server version that you are running:
    • Exchange 2010 or 2013 or 2016
  3. In the Authentication Method section, select the method used on your server:
    • Integrated Windows Authentication for OWA
    • Forms Based Authentication for OWA
    Please consult your Exchange administrator to learn what method is used by your server.
    Note: Using Windows Authentication for the "exchange site" is the recommended practice for signOWA.

  4. Check the Secure Socket Layer (https) option, if you are using HTTPS to connect to OWA.
  5. Enter the URL of your Exchange OWA server in the OWA URL field.
    • Leave out HTTP and HTTPS before the URL.
    • If you are using Exchange 2010, do not append anything as in the following example:
      "myserver.mydomain.local". (E.g. do NOT add /owa or /exchange)
    Security Warning: We recommend you use the internal address of the OWA server to avoid any possible security issues.

  6. Click Save to keep these settings, and then click Close to exit the Basic Configuration window.

    You are now ready to continue with installing OWA files.

Installing OWA files


Now that you have set up your OWA information, you must install OWA files on a server (other than the Exchange server), where you want to run the job as a scheduled task.

Create a folder on the server and extract these files into that folder.
Double-click the signOWA.reg file and accept to add the registry entries to the registry.


Note: You must have write access to the HKEY_LOCAL_MACHINE hive of the registry.


SignOWA.reg will add to the registry entries that will contain the username and password which signOWA.exe will use to authenticate.
This information can be encrypted. 


Note: SignOWA.exe will not be able to function without these registry entries.


Entries for proxy values are also added to the registry. Normally these are left blank and should not be modified.

They are only needed in very rare cases.


Setting up security for Exchange Server


SignOWA supports different authentication schemes depending on the setup of the Exchange server:

  • Basic Authentication.
  • Integrated Windows Authentication.
  • Forms Based Authentication.

The following registry values are used to control how signOWA authenticates with the Exchange server:

Registry key

Description

OWAuid

The user name that is to be used when connecting to the Exchange server. If left blank the credentials of the logged in user will be used. Do not include the domain in the user name.

OWApwd The password for the user specified in OWAuid. If OWAuid is left blank, the OWApwd value is ignored.
OWAdomain The domain of the user specified in OWAuid. If OWAuid is left blank, the OWAdomain value is ignored.

 
Once SignOWA.reg successfully adds entries to the registry, start regedit.exe to change these registry settings.
The following sections will describe the different registry settings to use for each authentication scheme.


Basic Authentication


When using basic authentication and running signOWA, as a scheduled task, the recommended approach is to use the "run as" feature.

SignOWA will run in the context of the provided user when connecting to the Exchange server. In this case, OWAuid must be left blank.


When using basic authentication the password is sent in clear text to the server.


Security Warning: Never use basic authentication without SSL.


The following registry values must be set:


Registry key

Description

OWAuid

The user name to be used when connecting to the Exchange server (when not using "run as").

OWApwd

The password for the user specified in OWAuid (when not using "run as").

OWAdomain

The domain of the user specified in OWAuid (when not using "run as").


Integrated Windows Authentication


When using integrated Windows authentication and running signOWA as a scheduled task the recommended approach is to use the "run as" feature. SignOWA will run in the context of the provided user when connecting to the Exchange server. In this case, OWAuid must be left blank.


The following registry values must be set:


Registry key Value
OWAuid The user name to be used when connecting to the Exchange server (when not using "run as").
OWApwd The password for the user specified in OWAuid (when not using "run as").
OWAdomain The domain of the user specified in OWAuid (when not using "run as").


Forms Based Authentication


The following registry values must be set:


Registry key Value
OWAuid The user name to be used when connecting to the Exchange server.
OWApwd The password for the user specified in OWAuid.
OWAdomain The domain of the user specified in OWAuid.


Security Warning: Never use forms based authentication without SSL.


Note: Exchange 2010 uses different authentication schemes for OWA and for EWS that is used by signOWA. This means that you can use Windows or Basic Authentication for signOWA even though you are using Forms Based Authentication for OWA users.


Using encryption for OWAuid and OWApwd values


When using the registry values OWAdomain, OWAuid, and OWApwd the user name and password of a user are visible to anyone who has access to registry on the machine running signOWA. Therefore, signOWA provides encryption of OWAuid and OWApwd. The encryption is done using the built-in Windows DPAPI

.
Security Warning: Encrypting the user name and password gives an extra level of security. However, if a malicious person manages to execute code on the machine running signOWA, the encrypted credentials may still be decrypted.


To use encryption, run signOWA.exe from command prompt once with the following options:


 

signOWA.exe -encrypt -uid:theusername -pwd:thepassword

 
SignOWA encrypts "theusername" and "thepassword" and writes the encrypted values to OWAuid and OWApwd to the registry. Also, the registry value OWAuseencryption is added to the registry and set to "1".


Note: The encryption is machine dependent. The encrypted registry values cannot be copied to another machine.


Note: Do not manually change the value of OWAuseencryption.


Setting account rights for the account running signOWA.exe


As described above, either signOWA runs in the security context of the user running signOWA, or it uses the credentials of a single user provided in the registry when connecting to Exchange server.


To run signOWA.exe through just one user, create a new account in the Active Directory (including a mail box). This will be the account used for OWAuid as previously described, i.e. the account in which context you wish to run signOWA.exe.


It is recommended to create a domain user with very limited rights for the single purpose of running signOWA.exe.

Specifically, the user should not be part of the Administrators group.


The user must have the following rights:

  • The user must have some extended rights on the Exchange mail store in order to be able to set the signature for all other domain users. These settings vary between Exchange 2003 , 2007 and 2010.
  • The user must have read access to the HKLM hive of the registry on the machine running signOWA.exe.
  • The user must have read/write/update access to the table ldgaUsers in the settings database.


Note: When you run signOWA, all users who are registered in the settings database (i.e. the users you see in Diagnostics) will have their signatures updated in OWA.


Creating and setting up rights for a user for Exchange 2010/2013


The new account must have the "Receive as" extended rights on the mailbox store.

To set these rights, proceed as follows:

  1. Start Exchange Management Shell.
  2. Run the following command in the Management Shell:

     

    Add-adpermission -Identity "Mailbox Database" -User "MyUserName" -ExtendedRights "Receive-As"

     

    Substitute "Mailbox Database" with the name of your mailbox store. This information can be found in the Exchange Management Console.

  3. Additionally, in the Management Shell, run the cmdlet command for the newly created account in domain "DOMAIN" accountname "signOWA". For example:

     

    New-ManagementRoleAssignment -Name "impersonationAssignmentName" -Role "ApplicationImpersonation" -User "DOMAIN\signOWA"

     

  4. It may be necessary to restart the Microsoft Exchange Information Store service to propagate the changes.


Checking site authentication in Exchange 2010/2013/2016


When OWA is installed, Exchange 2010/2013 installs a number of web sites. Two of these web sites are important in this context. The "exchange" web site is among other things used for programmatically accessing mailboxes using technologies such as EWS. The "OWA" web site is used for letting users access their own mailbox with the well-known OWA user interface. In Exchange 2003, the two web sites were grouped together in one web site. The split into two as of Exchange 2007 allows us to define different authentication settings for the two sites.


SignOWA uses the "exchange" web site. Thus, it works independently of the settings for the "OWA" site. This means we can set up Forms Based Authentication (FBA) for the users accessing the OWA interface while using Windows Authentication for signOWA.


To configure authentication for the "exchange" site, proceed as follows:


  1. Open the Exchange Management Console as shown in the following screen shot.


  2. Double-click the "Exchange (Default Web Site)" item to view the properties for the web site.
    Choose the Authentication tab in the Properties window.


  3. Change the authentication settings for the "exchange" web site as necessary. Click OK to save.

    Note: Using Windows Authentication for the "exchange" site is the recommended practice for when using OWA module.

  4. In order for the changes to take effect, the Internet Information Server (IIS) must be reset.
    To do this run the command "iisreset" from a command prompt or by choosing "Run" from the Windows Start menu and typing "iisreset".

    Note: Even though it is possible to configure authentication for the web site using the IIS management console, it is recommended to always use the Exchange Management Console as described above.

Troubleshooting Exchange 2010/2013/2016


  • Error: "The response received from the service didn't contain valid XML."
    Resolution: You have probably noted a wrong server name if you are using a Exchange cluster.

  • Error: "The mailbox that was requested doesn't support the specified RequestServerVersion."
    Resolution: Please make sure that you have given the appropriate permissions to each of the Exchange mailboxes containing the users you want to deploy the signatures for.