Microsoft Exchange 2007 Configuration over Exchange Web Services
Before You Begin
Note that the steps required to configure Exchange Server 2007 differ depending on whether you use Windows Server 2003 or Windows Server 2008.
You must complete the following tasks when configuring access to mailboxes on the Exchange Server 2007. For detailed instructions, see the Exchange Server 2007 documentation at the following URL:http://technet.microsoft.com/en-us/library/bb124558(EXCHG.80).aspx.
-
Grant Users Permission to Sign in to the Service Account Locally
-
Granting Send As Permissions to the Service Account and User Mailboxes
-
Granting Impersonation Permissions to the Service Account and User Mailboxes
-
Verifying Permissions on the Microsoft Exchange 2007 Account
Tip |
The IM and Presence Service only requires impersonation permissions on the account to enable it to log in to that account when it connects to the Exchange Server. Note that this account does not typically receive mail so you do not need to be concerned about allocating space for it. |
Windows Security Policy Settings
IM and Presence Service integration with Microsoft Exchange supports various authentication methods including Windows Integrated authentication (NTLM).
IM and Presence Service supports both NTLMv1 and NTLMv2 Windows Integrated authentication, with NTLMv2 used as the default.
Configuring the Lan Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM on the Windows domain controller enforces NTLMv2 authentication on the domain.
Note |
IM and Presence Service does not support NTLMv2 session security. Message confidentiality and integrity are provided by secure http (https). |
Verifying Windows Security Settings
Procedure
Step 1 |
On the Windows domain controller and server(s) running Exchange, choose . |
||
Step 2 |
Navigate to . |
||
Step 3 |
Choose Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers. |
||
Step 4 |
Verify that the Require NTLMv2 session security check box is unchecked. |
||
Step 5 |
If the Require NTLMv2 session security check box is checked, complete the following steps:
|
||
Step 6 |
To apply the new security settings reboot the Windows domain controller and server(s) running Exchange.
|
Grant Users Permission to Sign in to the Service Account Locally
Complete one of the following procedures to configure users to log in to the service account locally.
Before you begin
-
For Exchange impersonation to work, all Microsoft Exchange servers must be members of the Windows Authorization Access Group.
-
The service account should not be a member of any of the Exchange Administrative Groups. Exchange explicitly denies Impersonation for all accounts in those groups.
Configuring Microsoft Exchange 2007 on Windows Server 2003
Procedure
Step 1 |
Log in to the Exchange Server 2007 user interface using a service account that has been delegated the Exchange View Only Administrator role. |
Step 2 |
In the left pane, under Security Settings, navigate to . |
Step 3 |
In the right pane of the console, double-click Allow Log On Locally. |
Step 4 |
Choose Add User or Group then navigate to the service account that you created and choose it. |
Step 5 |
Choose Check Names, and verify that the specified user is correct. |
Step 6 |
Click OK. |
What to do next
Configuring Microsoft Exchange 2007 on Windows Server 2008
Procedure
Step 1 |
Log in to Exchange Server 2007 using a service account that has been delegated the Exchange View Only Administrator role. |
Step 2 |
Choose Start. |
Step 3 |
Type gpmc.msc. |
Step 4 |
Choose Enter. |
Step 5 |
Open the Domain Controller Security Settings window on the Exchange Server. |
Step 6 |
In the left pane, under Security Settings, navigate to . |
Step 7 |
In the right pane of the console, double-click Allow Log On Locally. |
Step 8 |
Ensure that the Define these policy settings check box is checked. |
Step 9 |
Choose Add User or Group and navigate to the service account that you previously created and choose it. Then click OK. |
Step 10 |
Choose Check Names, and verify that the specified user is correct. Then click OK. |
Step 11 |
Click Apply then click OK in the Allow Log On Locally Properties dialog box. |
Step 12 |
Determine if your users SMTP address is alias@FQDN. If it is not, you must impersonate using the user principal name (UPN). This is defined as alias@FQDN. |
What to do next
Setting Impersonation Permissions at the Server Level
The command in the following procedure allows you to grant impersonation permissions at the server level. You can also grant permissions at the database, user, and contact levels.
Before you begin
-
If you wish to only grant the service account rights to access individual Microsoft Exchange servers, replace
Get-OrganizationConfig
with the string
Get-ExchangeServer -Identity ServerName
where ServerName is the name of the Exchange Server.
Example
Add-ADPermission -Identity (Get-ExchangeServer -Identity exchangeserver1). DistinguishedName -User (Get-User -Identity user | select-object).identity -ExtendedRights Send-As
- Verify that the SMTP address of your users is defined as alias@FQDN. If it is not, you must impersonate the user account using the User Principal Name (UPN).
Procedure
Step 1 |
Open the Exchange Management Shell (EMS) for command line entry. |
Step 2 |
Run this Add-ADPermission command to add the impersonation permissions on the server.
|
What to do next
Setting Active Directory Service Extended Permissions for the Service Account
Setting Active Directory Service Extended Permissions for the Service Account
Before you begin
You must set these permissions on the Client Access Server (CAS) for the service account that performs the impersonation.
- If the CAS is located behind a load-balancer, grant the ms-Exch-EPI-Impersonation rights to the Microsoft Exchange 2007 account for all CASs behind the load-balancer.
- If your mailbox servers are located on a different machine to the CASs, grant ms-Exch-EPI-Impersonation rights for the Exchange 2007 account for all mailbox servers.
- You can also set these permissions by using Active Directory Sites and Services or the Active Directory Users and Computers user interfaces.
Procedure
Step 1 |
Open the Exchange Management Shell (EMS). |
Step 2 |
Run this Add-ADPermission command in the EMS to add the impersonation permissions on the server for the identified service account (for example, Exchange 2007).
|
Step 3 |
Run this Add-ADPermission command in the EMS to add the impersonation permissions to the service account on each mailbox that it impersonates:
|
What to do next
Granting Send As Permissions to the Service Account and User Mailboxes
Granting Send As Permissions to the Service Account and User Mailboxes
Follow this procedure to grant send as permissions to the service account and user mailboxes.
Note |
You cannot use the Microsoft Exchange Management Console (EMC) to complete this step. |
Procedure
Step 1 |
Open the Exchange Management Shell (EMS). |
Step 2 |
Run this Add-ADPermission command in the EMS to grant Send As permissions to the service account and all associated mailbox stores:
|
What to do next
Granting Impersonation Permissions to the Service Account and User Mailboxes
Granting Impersonation Permissions to the Service Account and User Mailboxes
Follow this procedure to grant impersonation permissions to the service account and user mailboxes.
Note |
You cannot use the Microsoft Exchange Management Console (EMC) to complete this step. |
Procedure
Step 1 |
Open the Exchange Management Shell (EMS). |
||
Step 2 |
Run this Add-ADPermission command in the EMS to grant impersonation permissions on the service account all associated mailbox stores: Syntax
Example
|
What to do next
Verifying Permissions on the Microsoft Exchange 2007 Account
Verifying Permissions on the Microsoft Exchange 2007 Account
After you have assigned the permissions to the Exchange 2007 account, you must verify that the permissions propagate to the mailbox level and that a specified user can access the mailbox and impersonate the account of another user. On Exchange 2007, it takes some time for the permissions to propagate to mailboxes.
Procedure
Step 1 |
In the Exchange Management Console (EMC) on Exchange Server 2007, right-click Active Directory Sites and Services in the console tree. |
||
Step 2 |
Point to View, and then choose Show Services Node. |
||
Step 3 |
Expand the service node, for example, Services/MS Exchange/First Organization/Admin Group/Exchange Admin Group/Servers. |
||
Step 4 |
Verify that the Client Access Server (CAS) is listed for the service node that you chose. |
||
Step 5 |
View the "Properties" of each CAS, and under the Security tab, verify that:
|
||
Step 6 |
Verify that the service account (for example, Ex2007) has been granted Allow impersonationpermission on the storage group and the mailbox store to enable it to exchange personal information and to Send As and Receive-As another user account. |
||
Step 7 |
You may be required to restart the Exchange Server for the changes to take effect. This has been observed during testing. |
What to do next
Enable Authentication on the Exchange Virtual Directories
Enabling Authentication on Exchange 2007 Running Windows Server 2003