none
Exchange Web Services server-to-server authentication without plaintext password? RRS feed

  • Question

  • I'm building a server application that runs automated processes that needs to be compatible with Exchange servers back to version 2007. I currently use OAuth through Azure AD for Office 365 connection, but I'm still trying to find a solution for on-premises Exchange pre-2013.

    I've been reading about Exchange authentication (basic, NTLM, etc) and I can't seem to find any references to a long-term token system that will allow me to setup authentication with a one-time use password. I'd very strongly rather not store user passwords in a central DB, encrypted or not, as its a huge security responsibility and could be reverse engineered.

    Is there something I'm missing?

    Is there a way to authenticate to Exchange without a password each time?

    After doing some more reading, it seems that I might be able to store the NTLM calculated hash (instead of the password) and re-use that hash for all other calls. Can anyone confirm my assumption there? Am I totally off base? Are there any restrictions or consequences I might be missing if taking that route?

    • Edited by Trevor Suarez Tuesday, July 28, 2015 6:35 PM formatting and clarification
    Tuesday, July 28, 2015 6:28 PM

All replies

  • Refer https://msdn.microsoft.com/en-us/library/office/dn626019(v=exchg.150).aspx - which will help you to choose right authentication standard for your EWS application that targets Exchange.

    DeVa, M.S., {MSFT} Please remember to mark the replies as answers if they help

    Tuesday, July 28, 2015 11:27 PM
  • I've already read that document. That doesn't provide much information.
    Wednesday, July 29, 2015 3:00 AM