So I have done a bit of research on the matter. According to this link:
http://technet.microsoft.com/en-us/library/bb232199(EXCHG.80).aspx
In the "Permission for using Outlook...." section it says:
To use Outlook Web Access Web Parts, you must, at a minimum, be delegated "Reviewer" access to the content that you are opening. If you have embedded an Outlook Web Access Web Part that requires authentication into an application, you must pass authentication information through together with the request for the Web Part. One way to do this is by configuring the Outlook Web Access virtual directory to use Integrated Windows authentication. Integrated Windows authentication lets users who have already logged on by using their Active Directory account use Outlook Web Access without having to enter their credentials again.
The sysadmin here does not want to do that since the fallback (if there are not on the right domain and auth fails) for having OWA use integrated security i guess sends a form with the password in plain-text. According to him, have not researched yet.
I have an asp.net MVC4 intranet application in development, and it is using windows authentication. So two questions:
Is there are way to pass credentials to the iframe without messing the the exchange server setting?
If so, how can I do it?
I lied, three questions:
/3. If I had the exchange setting to allow integrated windows auth, and I try to hit the site from a different domain that is not authorized, how does it fall back to a login form, and is it really a security risk?
Here is the iframe code:
<h2>Inbox</h2>
<iframe
src="http://server/exchange/user/?cmd=contents&fpath=inbox"
width="100%"
height="300"
sandbox="allow-scripts allow-same-origin"
seamless
frameborder="0"></iframe>
