Programming4us
         
 
 
Applications Server

Exchange Server 2003 : Virtual Servers - Configuring Authentication

5/27/2011 11:37:04 AM

Configuring Virtual Server Authentication Methods

Authentication ensures that the user is who he or she claims to be. More powerful authentication methods such as Kerberos ensure that the e-mail server is authenticated in addition to the user. Encryption ensures that only the recipient for whom a message is intended can read it.

Authentication

Exchange supports three methods of user authentication. These are anonymous authentication, basic authentication, and Integrated Windows Authentication.

Anonymous Authentication

This is the most common method used for Internet communication and provides limited access to specific public folders and directory information. Anonymous authentication is supported by all clients and is used to allow users to access unsecured content in public folders.

Basic Authentication

Exchange performs simple challenge and response authentication by requiring that users enter their user name, domain name, and password to gain access to mailbox data. Most client computers support basic authentication. This method provides the simplest level of security.

Important

Basic authentication sends a user’s name and password as clear text. Therefore, it is insecure. Basic authentication should not be used unless there is no alternative or unless the entire TCP/IP session is encrypted.


Integrated Windows Authentication

This method offers security, efficient communication, and transparency. You can use Integrated Windows Authentication when you have Windows-based clients that do not use encryption. This method uses Kerberos for clients running Windows 2000 Server or later, and new technology local area network (LAN) manager (NTLM) for Windows clients that are not running Active Directory. When you use Integrated Windows Authentication, the password is sent as an encrypted value.

Encryption

Encryption scrambles the contents of an e-mail message into a code that can only be read by the person who has the key to decode it on his or her computer. Authentication does not encrypt message data. Therefore, to make your data truly secure, you should encrypt e-mail messages transferred between the client and the server. Because TLS and SSL encrypt the entire TCP/IP session between the client and the server, the session is secure even if you chose a logon authentication method, such as basic authentication, that does not encrypt the user name and password.

HTTP, POP3, IMAP4, and NNTP virtual servers can use SSL encryption. SMTP virtual servers use TLS, which is a development of SSL. To use encryption, a virtual server must have a certificate issued by a trusted CA.

Tip

Remember that encryption scrambles the message. It is not an authentication method and does not authenticate the user. Remember also that encryption can be specified on a virtual server only if basic authentication is enabled. Finally, remember that encryption can be implemented only if a certificate is obtained. Some dialog boxes let you check the encryption setting before you obtain the certificate, but this has no effect until the certificate is installed.


Other Authentication Methods

Some POP3 and IMAP4 clients use Simple Authentication and Security Layer (SASL) authentication. This authentication method uses Kerberos or NTLM to authenticate hosts. SASL can be specified on POP3 and IMAP4 virtual servers on back-end Exchange Server 2003 servers.

You can specify digest authentication on HTTP virtual servers. This authenticates Windows domain servers rather than users. The settings on the Exchange virtual server (the default HTTP virtual server) also let you specify Microsoft .NET Passport authentication.

Supported Authentication Methods

Available authentication methods can vary, depending both upon the type of virtual server and upon whether the Exchange server is configured as a back-end or a front-end server. Table 1 gives the details.

Table 1. Supported Authentication Methods
Virtual server protocolExchange server configurationSupported authentication methods
POP3 and IMAP4Back-endBasic SASL
HTTPBack-endAnonymous

Basic

Digest

Integrated Windows Authentication

.NET Password (Exchange virtual server only)
NNTP and SMTPBack-end and front-endAnonymous

Basic

Integrated Windows Authentication
POP3 and IMAP4Front-endBasic (cannot be changed)
HTTPFront-endAnonymous

Basic

Digest

.NET Password (Exchange virtual server only) Integrated Windows Authentication (Exchange virtual server only)

Encryption can be configured on virtual servers on both back-end and front-end Exchange servers. Typically, encryption is configured on front-end servers that connect to the Internet. TLS encryption can be used on SMTP virtual servers, and SSL encryption on all other types of virtual servers. Both types of encryption require a certificate.

Configuring Client Access to Virtual Server Protocols

Exchange Server 2003 supports HTTP and WebDAV to provide enhanced functionality for HTTP clients retrieving and manipulating information in Web storage systems. You can also configure an HTTP virtual server to support OWA and allow clients to access e-mail, calendar information, shared applications, and any content in the public folder store, simply and efficiently by using a Web browser.

IMAP4 clients can access mail in an Exchange mailbox without downloading the entire mailbox to a specific computer. Exchange uses NNTP to enable Outlook users to participate in online discussions over the Internet. Exchange also enables users running client applications that support NNTP to access newsgroup public folders on computers running Exchange.

Exchange allows POP3 clients to access user inboxes on Exchange. However, POP3 users cannot access other public or private folders. POP3 is not intended to provide full manipulation of mail on the server. Although messages can be left on the server, mail is usually downloaded to a user’s computer and then deleted.

To configure POP3 and IMAP4 clients, you need to create a mailbox-enabled user, specify account information on the client, and set per-user options.

Practice: Obtaining, Installing, and Associating a Certificate for an IMAP4 Virtual Server on a Front-End Exchange Server

This procedure is used to obtain, associate, and install an encryption certificate on the default IMAP4 virtual server on the front-end Exchange server, Server02. The same procedure can be used to obtain, install, and associate a certificate on the following virtual servers:

  • An IMAP4 virtual server on a back-end Exchange server

  • A POP3 virtual server on either a front-end or a back-end Exchange server

  • An NNTP virtual server on either a front-end or a back-end Exchange server

  • An SMTP virtual server on either a front-end or a back-end Exchange server

To obtain, install, and associate a certificate on an HTTP virtual server on either a front-end or a back-end Exchange server, you need to access the Web Server Certificate Wizard by using the IIS Manager console rather than Exchange System Manager.

To obtain, install, and associate a certificate, perform the following ssteps:

1.
Start Exchange System Manager.

2.
Navigate to Administrative Groups\First Administrative Group\Servers\Server02\Protocols\IMAP4.

3.
Right-click Default IMAP4 Virtual Server, and then click Pause.

4.
Right-click Default IMAP4 Virtual Server, and then click Properties.

5.
On the Access tab, click Certificate.

6.
To request a new certificate, complete the Web Server Certificate Wizard. When prompted, select the Create A New Certificate option. Because there is a CA in your domain, you can obtain the certificate immediately.

7.
Click Apply to save your settings.

8.
To install the certificate, click Certificate again.

9.
Complete the Web Server Certificate Wizard again. This time, select Assign An Existing Certificate when prompted.

10.
To associate the certificate and require a secure channel, click Communication on the Access tab.

11.
Click Require Secure Channel.

12.
If 128-bit encryption is supported on the computer hosting the IMAP4 virtual server, click Require 128-bit Encryption.

13.
Click OK to close the virtual server Properties dialog box.

14.
Restart the virtual server.

Note

You do not need to obtain a certificate every time you want to enable encryption on a virtual server. If you have obtained a certificate for one virtual server on your Exchange server, you can use the Web Server Certificate Wizard to assign it to other virtual servers.


Practice: Configuring Authentication

This procedure is the same for all virtual servers, except for the options that can be set. For the HTTP default virtual server, you use the IIS Manager console to access the Authentication sheet through the Directory Security tab of the Exchange Properties box, but otherwise the procedure is identical.

Exercise 1: Configure Authentication on Virtual Servers on a Back-End Exchange Server

To configure authentication, perform the following steps:

1.
Start Exchange System Manager.

2.
Navigate to Administrative Groups\First Administrative Group\Servers\Server01\Protocols.

3.
Expand HTTP, NTTP, POP3, IMAP4, and SMTP.

4.
Right-click any virtual server except the Exchange virtual server (the HTTP default virtual server), and then click Pause.

5.
Right-click the paused virtual server, and then click Properties.

6.
On the Access tab, click Authentication.

7.
Specify the authentication settings. Figures 2 through 5 show the available options.

Figure 2. Authentication options for an additional HTTP virtual server on a back-end Exchange server


Figure 3. Authentication options for POP3 and IMAP4 virtual servers on a back-end Exchange server


Figure 4. Authentication options for an NNTP virtual server


Figure 5. Authentication options for an SMTP virtual server


8.
Click OK to close the virtual server Properties dialog box.

9.
Restart the virtual server.

Exercise 2: Configure Authentication on the Default HTTP Virtual Server on a Front-End Exchange Server

The purpose of this exercise is to describe the use of the IIS Manager console to configure authentication settings on a default HTTP virtual server. The procedure also illustrates the difference between HTTP virtual servers on a back-end and on a front-end Exchange server.

1.
Start the IIS Manager console on Server02.

2.
Expand Internet Information Services\Server02\Web Sites\Default Web Site \Exchange.

3.
Right-click Default Web Site, and then click Pause.

4.
Right-click Exchange, and then click Properties.

5.
In the Authentication And Access Control section on the Directory Security tab, click Edit.

6.
Configure the settings as required. As shown in Figure 6, Integrated Windows Authentication and .NET Passport authentication are available on an Exchange virtual server on both front-end and back-end Exchange servers.

Figure 6. Authentication options for an Exchange virtual server on a front-end or back-end Exchange server


However, on an additional HTTP server on a front-end Exchange server, these options are not available. Figure 7 shows the authentication settings available in this case.

Figure 7. Authentication options for an additional HTTP virtual server on a front-end Exchange server


7.
Click OK to close the Authentication dialog box.

8.
Click OK to close the Exchange Properties dialog box.

9.
Restart the default Web site.

Exercise 3: Examine Authentication Settings on a POP3 Virtual Server on a Front-End Exchange Server

The purpose of this exercise is to examine the Authentication dialog box on a POP3 virtual server on a front-end Exchange server. The Authentication dialog box on an IMAP4 virtual server on a front-end Exchange server looks exactly the same.

To examine authentication settings, perform the following steps:

1.
Start Exchange System Manager.

2.
Navigate to Administrative Groups\First Administrative Group\Servers\Server02\Protocols\POP3.

3.
Right-click Default POP3 Virtual Server, and then click Properties.

4.
On the Access tab, click Authentication.

5.
The Authentication dialog box is shown in Figure 8. Note that on a front-end server, basic authentication is specified and cannot be changed. The only configuration possible is to enable encryption.

Figure 8. Authentication dialog box for a POP3 virtual server on a front-end Exchange server


6.
Click OK to close the virtual server dialog box.
Other -----------------
- Exchange Server 2003 : Configuring Virtual Server Settings
- Overview of Exchange Server 2003 Virtual Servers
- Microsoft Exchange Server 2003 : Public Folder Security
- Microsoft Exchange Server 2003 : Administering Public Folders
- BizTalk 2010 Recipes : Business Rules Framework - Deploying and Undeploying Policies
- BizTalk 2010 Recipes : Business Rules Framework - Calling the Business Rules Engine from an Orchestration
- BizTalk 2010 Recipes : Business Rules Framework - Calling the Business Rules Engine from dot NET
- BizTalk 2010 Recipes : Business Rules Framework - Creating Custom Fact Retrievers
- BizTalk 2010 Recipes : Business Rules Framework - Setting Rule Priorities
- BizTalk 2010 Recipes: Business Rules Framework - Creating Facts
- BizTalk 2010 Recipes: Business Rules Framework - Creating and Testing Rules
- BizTalk 2010 Recipes: Business Rules Framework - Creating a Business Policy
- Exchange Server 2003 : Creating Public Folders (part 2)
- Exchange Server 2003 : Creating Public Folders (part 1)
- Exchange Server 2003 : Creating and Managing Address Lists and Recipient Policies (part 3) - Working with Offline Address Lists & Creating and Applying Recipient Policies
- Exchange Server 2003 : Creating and Managing Address Lists and Recipient Policies (part 2) - Administering Address Lists
- Exchange Server 2003 : Creating and Managing Address Lists and Recipient Policies (part 1) - Creating and Modifying Address Lists
- Microsoft Exchange Server 2003: Configuring Information Stores (part 2) - Moving Exchange Server 2003 Storage Groups and Databases
- Microsoft Exchange Server 2003: Configuring Information Stores (part 1) - Adding Storage Groups and Databases
- Microsoft Exchange Server 2003: Configuring Recipient Objects (part 9) - Managing Mail-Enabled Groups
 
 
Most View
- Windows Server 2008 : Configuring IIS Security (part 9)
- Performing On-Demand Exchange Server 2003 Monitoring and Maintenance
- Identity and Access Management : IAM Practices in the Cloud (part 2) - Federated Identity
- Windows Server 2008 : Configuring FTP (part 10) - Configuring FTP SSL Settings
- LINQ to Objects : Writing Basic Queries - Query Syntax Style Options
- Active Directory Domain Services 2008: Disable the Directory Service Changes Auditing Subcategory
- Windows Phone 7 : Saving Pictures to Your Phone
- Migrating Databases and Data to SQL Azure (part 1) - Generate and Publish Scripts Wizard
- Windows Phone 7 : Seeing What’s Nearby
- User-Level Security : Authorization and Impersonation (part 4) - Impersonation
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS