Monday, February 27, 2012

Exchange 2010: Creating a secondary OWA Site with Integrated Authentication

In some cases it may be necessary to have the default OWA site require manual authentication (forms based or basic), specifically if your users use it to access multiple Exchange accounts. At the same time, I have found myself trying to become less dependent on fat clients and try to rely on thin clients where available and functional. And having Integrated Authentication turned on for OWA makes using that interface much more convenient for daily use. that case, it is necessary to create a secondary OWA site in Exchange that can be easily pinned as a web app and not require manual authentication. 

The first step is to create a new site in IIS to host the second OWA instance, as it is not possible in 2010 to have multiple OWA instances within the same site. Therefore, the second site will either need to answer to a new URL or at minumum a different port. I chose to set it up on a different port.

  • Open the IIS Manager and drill down to Sites, right click on the site folder and choose "Add Web Site". Enter a Site Name, physical path and binding information as shown below:

The following commands will then be run from the Exchange Management Shell to configure the OWA Instance in that site.
  1. To create the new OWA instance:
    • New-OwaVirtualDirectory -WebSiteName "owa-integrated" 
  2. The ECP will need to be created seperately and is necessary to give users access to the OWA Control panel for customization, signatures, etc.
    • New-EcpVirtualDirectory -Server "SERVER" -WebSiteName "owa-integrated"
Once the sites are created, you will need to configure the authentication through the Exchange Management Console (EMC). To do this, navigate the tree to the "Server Configuration" section and select the "Client Access" option. Beneath the Outlook Web App tab, you will now see two OWA instances. Right click on the newly created owa-integrated instance, choose properties and then the Authentication tab. Configure the Integrated Authentication option as below:

Once complete, you must restart IIS using the following command from a command prompt with elevated rights: iisreset /noforce

You should now be able to access the newly created OWA site by specifying the assigned port in IIS (8443, in this case):

In addition to the above, I also have an Office Communications Server (OCS) and use the integrated chat client in OWA. Therefore, I needed to also perform the following commands from the Exchange Management Shell to configure the client communication:
  1. Assign the Instant Messaging Certificate Thumbprint to the new OWA instance:
    • Set-OwaVirtualDirectory -Identity "SERVER\owa (owa-integrated)" -InstantMessagingCertificateThumbprint 0C0C8590BF04B5676B6AB4A803EDF07AB73CDEC6
  2. Assign the Instant Messaging Server Name:
    • Set-OwaVirtualDirectory -Identity "SERVER\owa (owa-integrated)" -InstantMessagingServerName
  3. Set the Instant Messaging Type to Ocs:
    • Set-OwaVirtualDirectory -Identity "SERVER\owa (owa-integrated)" -InstantMessagingType Ocs


  1. I am very happy to locate your website. I just wanted to thank you for the time you spent on this great article. I definitely enjoyed reading it and I have you bookmarked to check out new stuff you post.


  2. Very helpful article. Thank you.