Authenticating programmatically to Exchange Server 2003 FBA

Wednesday, December 3, 2008

In one of my projects I had to read data from Exchange Server 2003 programmatically. I had access to Outlook Web Access that used Form Based Authentication (FBA). After some hacking and testing I got authentication part of my utility work. The point was easy - before making WebDAV requests to Exchange Server we need authentication cookies, so there is active session we can use.

NB! This blog is moved to gunnarpeipman.com

Click here to go to article

17 Comments

Hi Gunnar,

Thanks for the post, I've tried your code (and some similar code I've written) but just get a 400 bad request back from the server when I try to make use of the cookieCollection:

Request.CookieContainer.Add(DoExchangeFBA("https://" + mailboxServer, "nwtraders\\dave hope", "Password"));

The raw http request looks like the following:

PROPFIND /exchange/owatest@nwtraders.msft/non_ipm_subtree/ HTTP/1.1
Host: exchange.nwtraders.msft
Cookie: sessionid=7a7c69df-0455-4g58-a96e-4e72388f4efa:000; cadata="1lsLZBvnfDk/Np9dfgFFtfgT91xl9UMjTsf7YxJ7IUufEVYQCm443d7qqxqvafmPKELKxT9yQFeG/2SFN0fTOAv6Q=="
Content-Length: 141
Expect: 100-continue

Any ideas as to where I'm going wrong?

Thanks,

Dave

Dave - Wednesday, December 17, 2008 3:17:16 PM

I have seen this error in rather weird situation. I wrote command line application that imports calendars data from Exchange to SharePoint. Everything worked fine. I decided to create SharePoint server timer job based on this code. Without any markable modifications this code is not able to work under SharePoint timer process. After authentication it always gets error 400 bad request.

Can you tell me more about your technical environment? Maybe it is possible to find out what is going on.

DigiMortal - Friday, December 19, 2008 1:14:45 AM

Thanks for the response!

We have multiple exchange servers. The code works fine against those which use Negotiate authentication but not those using FBA.

The code fails when making the request from the exchange servers itself. It's Exchange 2003 with all updates applied running on Windows 2k3 SP2 (again, with all updates applied).

Is there any specific information I can provide?

Thanks!

Dave

Dave - Monday, December 22, 2008 8:17:35 AM

Problem solved! - I was doing two things wrong:

Not specifying the content-type in my request:

Request.ContentType = "text/xml";

The FBA login was redirecting, which I shouldn't have followed. Doing the following fixed it:

request.AllowAutoRedirect = false;

Thanks

Dave

Dave - Tuesday, December 23, 2008 12:14:15 PM

Very good stuff! Do you have the same for exchange 2007

Best regards
Thor

thor axelsson - Friday, January 9, 2009 1:20:23 AM

Hello Thor!

Basically you can use this code also with Exchange 2007 but you have to make some little changes.

1. Exchange 2007 has different URL for authentication DLL.
2. There is only one authentication cookie for Exchange 2007

DigiMortal - Friday, January 9, 2009 11:31:55 PM

Hi,

This solution works fine.However we need to give "password" in this case. In a case when we are using default credentials, can it be done without password?

Prasanna - Tuesday, February 17, 2009 10:21:32 AM

Hi Gunnar,

Thank you for posting this code. Are you able to offer me an example of how I might use your code to prevent the OWA login screen from appearing when a user clicks on a link to an inbox item? I am initially authenticating (successfully), passing a webDAV query, and returning & displaying the results on an .aspx (2.0) page. Within the results I have created anchor tags hyperlinked (using the exchange protocol format) to inbox items. However, when a user clicks on the item, the OWA login screen comes up. Specifically, how can I implement your code to bypass this screen?

Thank you,
Erik Snyder

Erik - Tuesday, March 17, 2009 4:37:01 PM

If you want it to be done easily then use Windows authentication. Browser takes care of everything. Otherwise... try to put these session cookies to user's browser. See what happens.

DigiMortal - Wednesday, March 18, 2009 9:07:40 AM

error in Exchange 2007:

details error:
The remote certificate is invalid according to the validation procedure.

cjorellana - Tuesday, August 18, 2009 4:19:36 PM

I know this is a very old post. But I going to try my luck anyway for an answer. I wrote a authenticate function based on your code.

I am trying to connect to exchage 2007 , I keep getting bad request 400. I am not sure what i am doing wrong ,please help.

My url's work fine. and the username & password is right.

public void authenticate()
{
string authURI = server + "/owa/auth/owaauth.dll";

// Create the web request body:

string body = string.Format("destination={0}&username={1}&password={2}", server + path, username, password);
byte[] bytes = Encoding.UTF8.GetBytes(body);

// Create the web request:

HttpWebRequest request = (HttpWebRequest)System.Net.WebRequest.Create(authURI);
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.CookieContainer = new CookieContainer();
request.ContentLength = bytes.Length;
request.UseDefaultCredentials = true;
// Create the web request content stream:
// request.KeepAlive = true;
//request.AllowAutoRedirect = true;
using (Stream stream = request.GetRequestStream())
{
stream.Write(bytes, 0, bytes.Length);
stream.Close();
}

// Get the response & store the authentication cookies:

HttpWebResponse response = (HttpWebResponse)request.GetResponse();

if (response.Cookies.Count < 2)
{
Response.Write("Login Failed");
//throw new AuthenticationException("Login failed. Is the login / password correct?");
}
else
{
CookieContainer cookies = new CookieContainer();
foreach (Cookie myCookie in response.Cookies)
{
cookies.Add(myCookie);
}
}

response.Close();
}

.netBeginner - Wednesday, January 27, 2010 8:55:38 PM

Just a quick note to the above post i made ,

the destination path is of the form
https://exchange.myserver.com/owa/myemail@address.com/?cmd=contents&module=inbox

I tested this url in ie and it works.

.netBeginner - Wednesday, January 27, 2010 9:17:23 PM

Just take fiddler2 and set it as proxy in your test machine. Now make all tasks you need to do in your code through OWA and save those requests and responses.

Now make your application work exactly same way. Use fiddler2 to monitor requests that your application makes. You should get all work done pretty quickly this way.

DigiMortal - Thursday, January 28, 2010 9:02:08 AM

Can somebody put similar code for exchange 2010.
What is the url for authentication dll, is this url ("/owa/auth.owa") correct

MadhuGowda - Thursday, October 21, 2010 9:47:22 AM

Thanks for question, MadhuGowda! If you are lucky one with Exchange Server 2007 or 2010 you don't have to use WebDAV protocol to communicate with Exchange Server. You can use web services and this is preferred way over WebDAV.

DigiMortal - Thursday, October 21, 2010 10:31:49 AM

Authenticating programmatically to exchange server 2003 fba.. Very nice :)

weblogs.asp.net - Sunday, June 26, 2011 6:10:53 PM

Posting to the dll for owa no longer works in 2010, I have it working for 2007, does anyone know what they changed? I have been working on this for days with no resolve.

Robert - Saturday, June 9, 2012 11:39:23 PM

Comments have been disabled for this content.