I needed a way to authenticate users from our library from a server outside our network, and therefore also not connected to Active Directory. At first I was thinking LDAP would be the best way...then I did my research and learned enough about LDAP to realize just how much information it gives out - WAY too much for it to be very secure. Even if I used SSL, created an account specifically for this access, set that account to read only...all it would take would be one person to hack our server and grab that information and all our organization's data is out there. Although it's about as much of a chance as getting hit by lightning in the middle of the desert in a sand storm, I wouldn't want to be responsible.

The only server with any sort of external web presence that is also touching the internet is our Exchange server's web access portal. I thought, "Ah HA! I can use cURL, or streams, or fsockopen or something to fake a login to this page to verify authentication!" After searching a bit (I'm terrible every time I attempt to write something using cURL to authenticate), I came across a few things.

  1. Exchange Server 2007 uses SOAP to provide a web service...AWESOME! We currently use 2003 though, but we will be upgrading later this year, so this may be helpful later on. [Link]
    1. HowToForge article on how to use PHP with 2007's SOAP Web Service
  2. I found this PHP script that I tested, which successfully contacted our OWA server and authenticated.
  3. I also found a PHP class on Google Code from Tyler Hall - it's not any particular project repository, just miscellaneous code he's hosting. It looks like it's slightly more feature rich, allowing info from address books and a user's inbox, for example.

I only needed to authenticate our building, so thankfully we had our own subdomain (not sure of the proper terminology) in the AD... If your domain was example.com (DC=example,DC=com), just getting OUR office (assume "Office1") was as easy as defining office1.example.com (DC=office1,DC=example,DC=com) after the @ symbol in the user's username (typically unnecessary information with OWA, but adding it explicitly was important here). It (seemingly) worked perfectly.

If you plan on doing something similar, just make sure that you cache (and encrypt) username/password information locally, hitting the OWA page continuously would probably make your System (or Email) Administrators a little unhappy with you.


Trackback specific URI for this entry
    No Trackbacks


    #1 johan on 05/13/09 at 01:26 PM [Reply]
    i have used the link to logon.
    But is there a way cith curl to do a search and get XML info back.
    For the calendar for example?
    #2 Brendon Kozlowski on 05/14/09 at 09:00 AM [Reply]
    johan, unfortunately I'm not much of a whiz at cURL at all, which was why I had to find someone else's code to help me out with it. I believe the code from Tyler Hall (list item #3) has some comments in it to help with getting information from the calendar. I haven't tried any of it though. I unfortunately wouldn't know how to get it to work. As for getting XML data back, it's doubtful. There is no API, this is basically web-scraping the HTML to decipher what is available. Exchange 2007 supposedly has an API but I don't yet know if it's finalized, nor will I even have a chance to mess around with it until late 4th quarter this year when ours is scheduled to be installed. Since I'd imagine you're using Exchange 2003, I don't think you'll have access to any API or XML data return; at least not without a third party tool installed on the exchange server itself (of which I cannot recommend any particular product, I'm simply making an assumption that one might exist somewhere).
    #3 johan on 05/14/09 at 10:33 AM [Reply]
    You can het XML from the server.
    I have an perl script that does the job, but i can't het it to work unther PHP.
    You run an dav search, but i am unable to make it work.

    Any point will be great
    #4 Brendon Kozlowski on 05/14/09 at 08:29 PM [Reply]

    Unfortunately I'm not very familiar with Exchange. I do not have access to our server except via the Outlook Web Access page(s). I did not know about WebDAV. With our organization's security policies, I'd imagine our WebDAV is locked down, but I can't verify that at the moment. I did find, thanks to Google, some further code - but I don't think it can be run via PHP (unless PHP is installed on a Windows' server, but at that point, I'd have to ask why even use PHP?).


    Hopefully that will help you. I'm sorry I can't really help any further.
    #5 Subha on 07/28/10 at 05:53 AM [Reply]
    Dear All,
    I am going to make an iPhone application for email, calendar displaying and after little bit of study I found the it will be done by the OWA but I didn't get any API. then I found the above topic which is done by the PHP. I am very much familiar with PHP and cURL. Now my questions are :::::
    1) Is there any configuration required into the OWA server to get access by this kind of script?

    2) To develop the iPhone application I am using objective C and this process will be little bit lengthy( see. iphone-> our server where is the cURL script is written-> OWA Server)... Is there any other alternative way to do this?

    3) Where I get the all the links for getting Inbox, sent Items, Draft, Calendar etc?

    4) How to get all the information in XML format?

    Please help me....... or you can email me to


    *a = @

    Thanks in advance
    #5.1 Brendon Kozlowski on 07/30/10 at 12:32 PM [Reply]
    Hello Subha,

    Unfortunately you would be better off using an Objective-C based approach if your entire application is being built in Objective-C to begin with. Contacting two separate servers to interact with one external exchange server increases chances for failure. With that in mind, hopefully the following link will be of some use to you:


    Also, if you do plan on going the route of scraping HTML using cURL, do keep in mind that each version of Outlook Web Access works differently. You would have to update your code for each version of Exchange.

    You may also want to research ActiveSync technology by Microsoft. If you're able to get licensing support for it, it should theoretically make your life easier.
    #5.1.1 Subha on 09/13/10 at 12:33 AM [Reply]
    Thank you Brendon,

    Its really a good link that you have provide me. But I am not able to run this or use this. Could you please give me some idea where I will get the documentation of this.

    # Brendon Kozlowski on 09/15/10 at 06:53 PM [Reply]
    Hello Subha,

    Unfortunately I'm not overly familiar with Microsoft documentation or protocols. Honestly, I got lucky in finding the script linked to in bullet point #2. Otherwise I wouldn't have been able to accomplish my own task.

    I cannot offer much help on this matter any further. Sorry! I wish you luck!
    # djcodesa on 04/26/11 at 02:02 PM [Reply]

    "I found this PHP script that I tested, which successfully contacted our OWA server and authenticated."

    This link is not working.

    Could you post a link to the code please, I am trying to do something similar.

    # Brendon Kozlowski on 06/08/11 at 12:02 PM [Reply]
    Hi there. I've updated the link. The website/domain itself no longer seems to exist. Fortunately I found a copy of it on archive.org.

    Please be aware that these scripts no longer work on OWA versions newer than 2003.

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed