HOWTO: Configure an Exchange Mailbox for Anonymous Access

• Collaboration Data Objects (CDO), versions 1.1, 1.2, 1.21

SUMMARY

This article describes how to configure a Microsoft Internet Information Server (IIS) using anonymous authentication to access a Microsoft Exchange Server mailbox. The primary purpose of this is to allow users who do not have an NT account on your network to send mail using your Microsoft Exchange Server.

MORE INFORMATION

The problem you face is that Exchange requires an NT account against which to authenticate a user before it will allow access to any server resources. In the case of an Internet application in which you grant anonymous access to your Web site, you need to configure IIS and Microsoft Exchange Server to be able to send mail from an "anonymous" Exchange mailbox.

Configuring an NT Account

1. Open the User Manager for Domains.



2. Note the domain in the title bar of the application. If this is not the domain to which you want to add a new user, select "Select Domain" from the User manager. Whatever domain is named in the title bar of the application will replace "YourDOMAIN" throughout this example.



3. Select New User from the User menu. Set the following properties:

   
         Username:          AnonUser
         Full Name:         Anonymous User
         Description:       For anonymous Web access
         Password:          Fill in an appropriate password
         Confirm Password:  Repeat password
   
         User Must Change
         Password at Next
         Logon:             OFF
   
         User Cannot
         Change Password:   ON*
   
         Password Never
         Expires:           ON*
   
         Account Disabled:  OFF
   
         Groups -
           Member of:       Domain Users and Domain Guests
           Profiles:        User Profiles or Home Directory settings
                            are not required.
           Hours:           No settings are required
           Logon to:        Set as appropriate
   
         Account
           Account Expires:  Never
           Account Type:     Global Account for regular user accounts
                             in the domain
         Dial-in
           Grant dialin
           permissions
           to user           OFF
   
         Call Back           No Call Back 

   NOTE: You may set these values to OFF. If you set these values OFF, you need to make sure to keep the password that IIS has synchronized with the password that the NT account has.



4. Choose Add. If you have configured your server to automatically create an Exchange account, the Exchange User Properties dialog box appears. If the dialog box does not appear, you need to open the "Microsoft Exchange Administrator" and create a new mailbox. Follow the steps in the next section for setting up this mailbox.



5. Before or after creating the new mailbox, select User Rights from the Policies menu in the User Manager. Select "Log on Locally" from the drop-down menu on the right. Choose Add, and add the "AnonUser." The user you created now has rights to log on locally to the IIS server.

Configuring a Mailbox

1. Select "New Mailbox" from the File menu. If you already have the Exchange User Properties dialog box, you may skip to Step 2.



2. Fill in the following properties on the General Tab:

   
         First Name:          Anonymous
         Last Name:           User
         Display:             Anonymous User
         Alias:               AnonUser
         Primary NT Account:  YourDOMAIN\AnonUser 

   where the primary NT Account indicates the domain and user account configured in the previous section.

Configuring the Virtual Directory

1. Start the Internet Service Manager (Microsoft Management Console).



2. Right-click on the Web from which you want to allow anonymous mail to be sent.



3. Select the "Directory Security" tab.



4. Choose "Edit" for "Anonymous Access and Authentication Control."



5. Turn on the "Allow Anonymous" option and choose "Edit."



6. Turn off "Enable Automatic Password Synchronization."



7. Enter the DOMAIN\UserID in the appropriate text box (such as YourDOMAIN\AnonUser in this example). This should be the domain account that you created earlier in this article.



8. Enter the user's password in the Password text box and repeat.



9. Click "OK" until you have closed all dialog boxes.

Summary of How It Works

1. IIS determines that "Anonymous" authentication is in use. IIS assigns the new session to the account you specified when configuring the virtual directory ("YourDOMAIN\AnonUser" in this example).



2. The application requests the use of an Exchange Server resource.



3. The Exchange server challenges the application to authenticate itself. It does this by passing it a random value.



4. IIS uses the account from step 1 ("YourDOMAIN\AnonUser") and the user's password (stored in IIS) to generate a hash from the random value.



5. IIS passes the account and the hash back to Exchange.



6. Exchange Server sends the account ("YourDOMAIN\AnonUser"), the hash, and the original random value to a Primary or Backup Domain Controller.



7. The Domain Controller generates its own hash from the account and random value that Exchange passed to it.



8. The Domain Controller compares the hash it generated to the hash that Exchange passed to it. If the values are the same, the Domain Controller tells Exchange to allow the user access to the resource.
   
   As you see, the critical step is in providing IIS with an account to load the application in to, and to provide the correct credentials. If the system is not configured properly, the application will not be granted access to the Exchange resource.

REFERENCES

Please see the following articles in the Microsoft Developer Network (MSDN) Library:

• Getting Started with ASP Messaging



• Implementing a Secure Site with ASP



• Authentication and Security for Internet Developers

Additional query words:

Keywords : kbCDO110 kbCDO120 kbCDO121 kbXchge kbMsg kbfaq kbGrpMsg
Version : WINDOWS:1.1,1.2,1.21
Platform : WINDOWS
Issue type : kbhowto