XFOR: Enabling SSL For Exchange Server

ID: Q175439

The information in this article applies to:
  • Microsoft Exchange Server, versions 5.0, 5.5

SUMMARY

To accept logons from Internet clients, the Microsoft Exchange Server computer must be configured to accept the authentication method supported by the client. This article addresses how to enable the Exchange Server to accept Secure Socket Layer (SSL) authentication.

Check your client's documentation to determine what authentication methods it supports and how to configure the client to use authentication.

See the "More Information" section for an overview of SSL.


MORE INFORMATION

Take the following steps to enable Exchange Server to accept SSL authentication:

  1. Ensure that Microsoft Windows NT version 4.0 is installed and that Service Pack 3 is applied.


  2. Install Microsoft Internet Information Server (IIS) version 3.0 or later PRIOR to installing Exchange server. This step is critical. If IIS is not installed prior to Exchange Server, the protocols supported by Exchange Server will not be available in the IIS Key Manager.


  3. Install Exchange Server version 5.0 or later. Select the Authentication settings for each protocol for which you want to install certificates.


    1. In the Exchange Server Administrator program, expand the Configuration container, and click the Protocols object.


    2. Select the appropriate protocol (for example, POP3, NNTP, LDAP) by double-clicking its associated icon.


    3. In the protocol's property pages, click the Authentication tab, and set the authentication levels.


    4. Click OK to save the settings.


  4. Using the IIS Key Manager, create a key request.


    1. Start the Key Manager included with Internet Information Server.


    2. Locate the Exchange Server icon, and click the appropriate protocol (for example, POP3, NNTP, LDAP).


    3. On the menu, click Key, and then click Create New Key.


    4. Type the appropriate information in the fields. Click OK to save the information to a request file.


    5. Send the key request to a certificate distribution company (such as Verisign) to obtain a certificate for the server.


  5. Using the IIS Key Manager, install the SSL certificate.


    1. After obtaining the certificate, start the Key Manager included with Internet Information Server.


    2. Locate the Exchange Server icon, and click the appropriate protocol (for example, POP3, NNTP, LDAP).


    3. On the menu, click Key, and then click Install Key Certificate.


    4. Select the certificate file sent by the certificate vendor. If your are running IIS 4.0, you must specify the server IP address or specify to bind the certificate to "Default."


    5. On the menu, click Servers, and click Commit Changes Now.


The SSL authentication method uses public/private key technology to ensure privacy. The SSL protocol resides at the Open Systems Interconnection (OSI) presentation layer and moves data from the application layer to the TCP transport layer. It is responsible for authentication, encryption, and verification of data integrity.

The authentication function assures that the data is being sent to the correct server and that the server is secure. Encryption ensures that data cannot be read by anyone other than the target server. Data integrity ensures that the data has not been corrupted or altered in transit.

Client Obtains Server Certificate

The client and server introduce themselves to each other with HELO/EHLO messages (for SMTP/ESMTP respectively) and exchange information containing the encryption method to use, session information, server certificate (containing the server's public key), and random data.

Client Verifies Server

The client verifies that the server certificate is from a certifying authority and then uses it to send a message to authenticate the server (to verify it is who it claims to be). If the server does not pass the authentication, the client typically informs the user that the server is not who it claims to be.

Client/Server Determine Encryption Key to Use for This Session

If the server replies back successfully, the client and server create a random secret key (referred to as the Master Key in the SSL specification) from the random data exchanged and the encryption method specified (such as RSA).

Data Encrypted with Agreed Upon Key

All data sent over the SSL channel is encrypted with the secret key.

Additional query words: SSL POP3 Authentication NTOP4

Keywords : XFOR exc5 exc55
Version : winnt:5.0,5.5
Platform : winnt
Issue type : kbhowto


Last Reviewed: January 18, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.