Gunnar Peipman's ASP.NET blog

ASP.NET, C#, SharePoint, SQL Server and general software development topics.






Authenticating programmatically to Exchange Server 2003 FBA

In one of my projects I had to read data from Exchange Server 2003 programmatically. I had access to Outlook Web Access that used Form Based Authentication (FBA). After some hacking and testing I got authentication part of my utility work. The point was easy - before making WebDAV requests to Exchange Server we need authentication cookies, so there is active session we can use.


NB! This blog is moved to

Click here to go to article


Dave said:

Hi Gunnar,

Thanks for the post, I've tried your code (and some similar code I've written) but just get a 400 bad request back from the server when I try to make use of the cookieCollection:

Request.CookieContainer.Add(DoExchangeFBA("https://" + mailboxServer, "nwtraders\\dave hope", "Password"));

The raw http request looks like the following:

PROPFIND /exchange/owatest@nwtraders.msft/non_ipm_subtree/ HTTP/1.1

Host: exchange.nwtraders.msft

Cookie: sessionid=7a7c69df-0455-4g58-a96e-4e72388f4efa:000; cadata="1lsLZBvnfDk/Np9dfgFFtfgT91xl9UMjTsf7YxJ7IUufEVYQCm443d7qqxqvafmPKELKxT9yQFeG/2SFN0fTOAv6Q=="

Content-Length: 141

Expect: 100-continue

<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:d=""><a:prop><d:oof-state/></a:prop></a:propfind>

Any ideas as to where I'm going wrong?



# December 17, 2008 10:17 AM

DigiMortal said:

I have seen this error in rather weird situation. I wrote command line application that imports calendars data from Exchange to SharePoint. Everything worked fine. I decided to create SharePoint server timer job based on this code. Without any markable modifications this code is not able to work under SharePoint timer process. After authentication it always gets error 400 bad request.

Can you tell me more about your technical environment? Maybe it is possible to find out what is going on.

# December 18, 2008 8:14 PM

Dave said:

Thanks for the response!

We have multiple exchange servers. The code works fine against those which use Negotiate authentication but not those using FBA.

The code fails when making the request from the exchange servers itself. It's Exchange 2003 with all updates applied running on Windows 2k3 SP2 (again, with all updates applied).

Is there any specific information I can provide?



# December 22, 2008 3:17 AM

Dave said:

Problem solved! - I was doing two things wrong:

Not specifying the content-type in my request:

Request.ContentType = "text/xml";

The FBA login was redirecting, which I shouldn't have followed. Doing the following fixed it:

request.AllowAutoRedirect = false;



# December 23, 2008 7:14 AM

thor axelsson said:

Very good stuff! Do you have the same for exchange 2007

Best regards


# January 8, 2009 8:20 PM

DigiMortal said:

Hello Thor!

Basically you can use this code also with Exchange 2007 but you have to make some little changes.

1. Exchange 2007 has different URL for authentication DLL.

2. There is only one authentication cookie for Exchange 2007

# January 9, 2009 6:31 PM

Prasanna said:


This solution works fine.However we need to give "password" in this case. In a case when we are using default credentials, can it be done without password?

# February 17, 2009 5:21 AM

Erik said:

Hi Gunnar,

Thank you for posting this code. Are you able to offer me an example of how I might use your code to prevent the OWA login screen from appearing when a user clicks on a link to an inbox item? I am initially authenticating (successfully), passing a webDAV query, and returning & displaying the results on an .aspx (2.0) page. Within the results I have created anchor tags hyperlinked (using the exchange protocol format) to inbox items. However, when a user clicks on the item, the OWA login screen comes up. Specifically, how can I implement your code to bypass this screen?

Thank you,

Erik Snyder

# March 17, 2009 12:37 PM

DigiMortal said:

If you want it to be done easily then use Windows authentication. Browser takes care of everything. Otherwise... try to put these session cookies to user's browser. See what happens.

# March 18, 2009 5:07 AM

KVL said:


Thanks for posting the code. But when tring to get the cookies we are getting 401 Unauthorized error. Could please let me know what could be the reason in getting 401 Unauthorized error?

Thank You,


# June 20, 2009 6:44 AM

cjorellana said:

error in Exchange 2007:

details error:

The remote certificate is invalid according to the validation procedure.

# August 18, 2009 12:19 PM

.netBeginner said:

I know this is a very old post. But I going to try my luck anyway for an answer. I wrote a authenticate function based on your code.

I am trying to connect to exchage 2007 , I keep getting bad request 400. I am not sure what i am doing wrong ,please help.

My url's work fine. and the username & password is right.

public void authenticate()


string authURI = server + "/owa/auth/owaauth.dll";

           // Create the web request body:

           string body = string.Format("destination={0}&username={1}&password={2}", server + path, username, password);

           byte[] bytes = Encoding.UTF8.GetBytes(body);

           // Create the web request:

           HttpWebRequest request = (HttpWebRequest)System.Net.WebRequest.Create(authURI);

           request.Method = "POST";

           request.ContentType = "application/x-www-form-urlencoded";

           request.CookieContainer = new CookieContainer();

           request.ContentLength = bytes.Length;

           request.UseDefaultCredentials = true;

           // Create the web request content stream:

          // request.KeepAlive = true;

           //request.AllowAutoRedirect = true;

           using (Stream stream = request.GetRequestStream())


               stream.Write(bytes, 0, bytes.Length);



           // Get the response & store the authentication cookies:

           HttpWebResponse response = (HttpWebResponse)request.GetResponse();

           if (response.Cookies.Count < 2)


               Response.Write("Login Failed");

               //throw new AuthenticationException("Login failed. Is the login / password correct?");




               CookieContainer cookies = new CookieContainer();

               foreach (Cookie myCookie in response.Cookies)







# January 27, 2010 3:55 PM

.netBeginner said:

Just a quick note to the above post i made ,

the destination path is of the form

I tested this url in ie and it works.

# January 27, 2010 4:17 PM

DigiMortal said:

Just take fiddler2 and set it as proxy in your test machine. Now make all tasks you need to do in your code through OWA and save those requests and responses.

Now make your application work exactly same way. Use fiddler2 to monitor requests that your application makes. You should get all work done pretty quickly this way.

# January 28, 2010 4:02 AM

MadhuGowda said:

Can somebody put similar code for exchange 2010.

What is the url for authentication dll, is this url ("/owa/auth.owa") correct

# October 21, 2010 5:47 AM

DigiMortal said:

Thanks for question, MadhuGowda! If you are lucky one with Exchange Server 2007 or 2010 you don't have to use WebDAV protocol to communicate with Exchange Server. You can use web services and this is preferred way over WebDAV.

# October 21, 2010 6:31 AM said:

Authenticating programmatically to exchange server 2003 fba.. Very nice :)

# June 26, 2011 2:10 PM

Robert said:

Posting to the dll for owa no longer works in 2010, I have it working for 2007, does anyone know what they changed?  I have been working on this for days with no resolve.

# June 9, 2012 7:39 PM