About this Article:


This article is intended for the Administrator tasked with configuring email signatures to work against an Outlook Web Access (OWA) environment, running on Exchange Server 2007.


Compliant email signatures on Outlook Web clients


Compliance and consistency of email signatures impacts your brand.

The goal is to ensure that the signature portion of corporate email meets your branding standards - no matter where an email is sent from.
With the Outlook Web module, the same signature that appears in Outlook can now appear on emails sent remotely through Outlook Web. No longer will your client know if an email is sent from home or from the office. No longer will you have different signatures based on where the email is sent from. Email signatures with a professional look and feel that enhances your brand and delivers targeted marketing messages with each and every email.


OWA module in overview


You are already familiar with the basic setup and the backend database. The backend database contains the final signatures to be deployed to OWA. These signatures are updated each time sign.exe is run, as they are stored in the settings database.


In order to pull out the signatures from the backend database and deploy them to OWA environment, a signOWA.exe file is used.

Unlike sign.exe, the signOWA.exe does not run each time the users log on. SignOWA.exe runs from a server in your network as a scheduled task.

It can be any server within your network running a Windows Server 2000, 2003 or 2008 with the latest Service Pack applied.


SignOWA.exe is then set up to run as a scheduled task that deploys signatures to OWA at a set time, e.g. once a day at 1 am.


Deploying email signature to OWA/Exchange Server


To set up the OWA module, proceed as follows:

  1. Configure OWA in the admin console --> Modules --> Outlook Web.
  2. Install OWA module files on a server (other than the Exchange server) and create registry entries on the server where signOWA.exe will be running.
  3. Set up security permissions to access the Exchange server and fill in required information into the registry.
    The process is different depending on the authentication method used by your server.
  4. If using a single user to run signOWA.exe, set up account rights for this user.
  5. Test signatures on a few OWA users.
  6. Set up signOWA.exe as a scheduled task and then deploy.


Each of the steps is described in the following sections.


Configuring OWA module for Exchange Server 2007


In order to administer the OWA settings, first you must enable the OWA module. If you have entered a valid license for the OWA module, the module will be enabled.

If the OWA module is not enabled, please obtain a valid license key.


To configure the OWA module, proceed as follows:

  1. Double-click the admin console icon on the desktop, and open the Modules tab. Then click Configuration button for Outlook Web Access.


    The Basic Configuration window appears. The first time you open the Configuration window it will show dummy sample settings. These must be changed in order for OWA deployment to work.


  2. Select the Exchange Server version that you are running:
  • Exchange 2007
  • In the Authentication Method section select the method used on your server:

    • Integrated Windows Authentication for OWA

    • Forms Based Authentication for OWA

      Please consult your Exchange administrator to learn what method is used by your server.

      Note: Using Windows Authentication for the "exchange site" is the recommended practice for signOWA.



  • Check the Secure Socket Layer (https) option if you are using HTTPS to connect to OWA.

  • Enter the URL of your Exchange OWA server in the OWA URL field. Leave out HTTP and HTTPS before the URL.

    If you are using Exchange 2007, do not append anything as in the following example: "myserver.mydomain.local". (E.g. do NOT add /owa or /exchange)

    Security Warning: We recommend to write the internal address of the OWA server to avoid any possible security issues.

  • Click Save to keep these settings, and then click Close to exit the Basic Configuration window.

    You are now ready to continue with installing OWA files.


    Installing OWA files


    Now that you have set up your OWA module, you must install OWA files on a server (other than the Exchange server), where you want to run the job as a scheduled task.
  • Create a folder on the server and extract these files into that folder.


    Double-click the signOWA.reg file and accept to add the registry entries to the registry.


    Note: You must have write access to the HKEY_LOCAL_MACHINE hive of the registry.


    SignOWA.reg will add to the registry entries that will contain the username and password which signOWA.exe will use to authenticate. This information can be encrypted.


    Note: SignOWA.exe will not be able to function without these registry entries.


    Entries for proxy values are also added to the registry. Normally these are left blank and should not be modified. They are only needed in very rare cases.


    Setting up security for Exchange Server


    SignOWA supports different authentication schemes depending on the setup of the Exchange server:

    • Basic Authentication.
    • Integrated Windows Authentication.
    • Forms Based Authentication.

    The following registry values are used to control how signOWA authenticates with the Exchange server:


    Registry Key Description
    OWAuid The user name that is to be used when connecting to the Exchange server. If left blank the credentials of the logged in user will be used. Do not include the domain in the user name.
    OWApwd The password for the user specified in OWAuid. If OWAuid is left blank, the OWApwd value is ignored.
    OWAdomain  The domain of the user specified in OWAuid. If OWAuid is left blank, the OWAdomain value is ignored.


    Once SignOWA.reg successfully adds entries to the registry, start regedit.exe to change these registry settings.


    The following sections will describe the different registry settings to use for each authentication scheme.


    Basic Authentication


    When using basic authentication and running signOWA as a scheduled task the recommended approach is to use the "run as" feature. SignOWA will run in the context of the provided user when connecting to the Exchange server. In this case, OWAuid must be left blank.


    When using basic authentication the password is sent in clear text to the server.


    Security Warning: Never use basic authentication without SSL.


    The following registry values must be set:


    Registry key

    Description
    OWAuid The user name to be used when connecting to the Exchange server (when not using "run as").
    OWApwd The password for the user specified in OWAuid (when not using "run as").
    OWAdomain The domain of the user specified in OWAuid (when not using "run as").


    Integrated Windows Authentication


    When using integrated Windows authentication and running signOWA as a scheduled task the recommended approach is to use the "run as" feature. SignOWA will run in the context of the provided user when connecting to the Exchange server. In this case, OWAuid must be left blank.


    The following registry values must be set:


    Registry key
    Description
    OWAuid The user name to be used when connecting to the Exchange server (when not using "run as").
    OWApwd The password for the user specified in OWAuid (when not using "run as").
    OWAdomain The domain of the user specified in OWAuid (when not using "run as").


    Forms Based Authentication


    The following registry values must be set:


    Registry Key
    Description
    OWAuid The user name to be used when connecting to the Exchange server.
    OWApwd The password for the user specified in OWAuid.
    OWAdomain The domain of the user specified in OWAuid.


    Security Warning: Never use forms based authentication without SSL.


    Note: Exchange 2007 uses different authentication schemes for OWA and for WebDAV that is used by signOWA. This means that you can use Windows or Basic Authentication for signOWA even though you are using Forms Based Authentication for OWA users.


    Using encryption for OWAuid and OWApwd values


    When using the registry values OWAdomain, OWAuid, and OWApwd the user name and password of a user are visible to anyone who has access to registry on the machine running signOWA. Therefore, signOWA provides encryption of OWAuid and OWApwd. The encryption is done using the built-in Windows DPAPI.


    Security Warning: Encrypting the user name and password gives an extra level of security. However, if a malicious person manages to execute code on the machine running signOWA, the encrypted credentials may still be decrypted.


    To use encryption, run signOWA.exe from command prompt once with the following options:


     

    signOWA.exe -encrypt -uid:theusername -pwd:thepassword

     


    SignOWA encrypts "theusername" and "thepassword" and writes the encrypted values to OWAuid and OWApwd to the registry. Also, the registry value OWAuseencryption is added to the registry and set to "1".


    Note: The encryption is machine dependent. The encrypted registry values cannot be copied to another machine.


    Note: Do not manually change the value of OWAuseencryption.


    Setting account rights for the account running signOWA.exe


    As described above, either signOWA runs in the security context of the user running signOWA, or it uses the credentials of a single user provided in the registry when connecting to Exchange server.


    To run signOWA.exe through just one user, create a new account in the Active Directory (including a mail box). This will be the account used for OWAuid as previously described, i.e. the account in which context you wish to run signOWA.exe.


    It is recommended to create a domain user with very limited rights for the single purpose of running signOWA.exe. Specifically, the user should not be part of the Administrators group. The user must have the following rights:


    • The user must have some extended rights on the Exchange mail store in order to be able to set the signature for all other domain users. These settings vary between Exchange 2003, 2007 and 2010.
    • The user must have read access to the HKLM hive of the registry on the machine running signOWA.exe.
    • The user must have read/write/update access to the table ldgaUsers in the settings database.

    Note: When you run signOWA, all users who are registered in the settings database (i.e. the users you see in Diagnostics) will have their signatures updated in OWA.


    Creating and setting up rights for a user for Exchange 2007


    The new account must have the "Receive as" extended rights on the mailbox store. To set these rights, proceed as follows:

    1. Start Exchange Management Shell.
    2. Run the following command in the Management Shell:

       

      Add-adpermission -Identity "Mailbox Database" -User "MyUserName" -ExtendedRights "Receive-As"

       

      Substitute "Mailbox Database" with the name of your mailbox store. This information can be found in the Exchange Management Console.It may be necessary to restart the Microsoft Exchange Information Store Service to propagate the changes.

    Checking site authentication in Exchange 2007


    When OWA is installed, Exchange 2007 installs a number of web sites. Two of these web sites are important in this context. The "exchange" web site is among other things used for programmatically accessing mailboxes using technologies such as WebDAV. The "OWA" web site is used for letting users access their own mailbox with the well-known OWA user interface. In Exchange 2003, the two web sites were grouped together in one web site. The split into two as of Exchange 2007 allows us to define different authentication settings for the two sites.


    SignOWA uses the "exchange" web site. Thus, it works independently of the settings for the "OWA" site. This means we can set up Forms Based Authentication (FBA) for the users accessing the OWA interface while using Windows Authentication for signOWA.


    To configure authentication for the "exchange" site, proceed as follows:

    1. Open the Exchange Management Console as shown in the following screen shot.


    2. Double-click the "Exchange (Default Web Site)" item to view the properties for the web site. Choose the Authentication tab in the Properties window.


    3. Change the authentication settings for the "exchange" web site as necessary. Click OK to save.

      Note: Using Windows Authentication for the "exchange" site is the recommended practice for when using the OWA module.

    4. In order for the changes to take effect, the Internet Information Server (IIS) must be reset. To do this run the command "iisreset" from a command prompt or by choosing "Run" from the Windows Start menu and typing "iisreset".


    Note: Even though it is possible to configure authentication for the web site using the IIS management console, it is recommended to always use the Exchange Management Console as described above.