Microsoft Exchange for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Configure Microsoft Exchange Server 2003 and 2007 to Integrate with the IM and Presence Service over WebDAV
Downloads: This chapterpdf (PDF - 1.43MB) The complete bookPDF (PDF - 2.99MB) | Feedback

Configure Microsoft Exchange Server 2003 and 2007 to Integrate with the IM and Presence Service over WebDAV

Contents

Configure Microsoft Exchange Server 2003 and 2007 to Integrate with the IM and Presence Service over WebDAV


Note


This module describes the integration of the IM and Presence Service with Exchange Server 2003 and 2007 over WebDAV. If you are integrating with the Exchange server 2007 or 2010 over Exchange Web Services (EWS), see Configure Exchange Server 2007 and Later to Integrate with the IM and Presence Service over Exchange Web Services For an overview of each type of Exchange integration, we recommend that you review Planning for IM and Presence Service Integration with Microsoft Exchange.


Microsoft Exchange 2003 Configuration over WebDAV

You must complete the following tasks when configuring access to mailboxes on the Exchange Server 2003.

For detailed instructions, see the Microsoft Server 2003 documentation at the following URL: http:/​/​technet.microsoft.com/​en-us/​library/​bb123872(EXCHG.65).aspx


Tip


  • If the characters ~, #, %, +, &, |, *, or / are part of a user's email address, then Exchange calendar integration using WebDAV does not work for that user.
  • If you receive an error message in the Exchange Server Status area of the Presence Gateway Configuration window that indicates the Exchange Server is unreachable but that the certificate is configured properly, then the Receive-As account is configured improperly. You must recreate the account following the procedures in this section.

Windows Security Policy Settings

IM and Presence Service integration with Exchange supports various authentication methods including Windows Integrated authentication (NTLM).


Note


The IM and Presence Service supports NTLMv1 Windows Integrated authentication only and does not currently support NTLMv2.


Some Windows network security policies allow NTLMv2 authentication only, which prevents the integration between the IM and Presence Service and Exchange from functioning (both WebDAV and EWS). You must verify that NTLMv2 authentication is not enabled on each Windows server running Exchange. If NTLMv2 authentication is enabled, disable the setting and reboot the server to properly apply the new security setting.

Complete the following procedure to verify the current value of NTLM authentication and if necessary, to disable NTLMv2 authentication.

Verifying Windows Security Settings

Procedure
    Step 1   On the Windows Server running Exchange, choose Start > Administrative Tools > Local Security Policy.
    Step 2   Navigate to Security Settings > Local Policies > Security Options.
    Step 3   Choose Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers.
    Step 4   Verify that the Require NTLMv2 session security check box is unchecked.
    Step 5   If the Require NTLMv2 session security check box is checked, complete the following steps:
    1. Uncheck the check box Require NTLMv2 session security.
    2. Click OK.
    Step 6   Reboot the Windows Server running Exchange to apply the new security settings.

    Adding a New Service Account as a Member of the Exchange View Only Administrator Security Group

    An administrator account may already be configured on the Microsoft Exchange Server. It is recommended that you create a separate administrator account for Exchange integration, as the default administrator configuration may not allow you to log in to other user accounts on the Exchange Server.

    Procedure
      Step 1   On the Exchange Server, in Active Directory Users and Computers (ADUC), complete the following tasks:
      1. Create a new service account.
      2. Create a new security group and name it Exchange View Only Administrator.
      3. Right-click the Exchange View Only Administrator group that you created, and choose Properties.
      4. Under the Members tab, add the service account that you created to the group.
      Step 2   On the Exchange Server, open System Manager and under Administrative Groups, navigate to the Exchange View Only Administrator group.
      Step 3   Right-click the group and choose Delegate Control to start the Exchange Administration Delegation Wizard.
      Step 4   Click Add then navigate to the group that you created and choose it.
      Step 5   Assign the Exchange View Only Administrator role to the group.

      What to Do Next

      Delegating Exchange View Only Administrator Control to the User Account

      Delegating Exchange View Only Administrator Control to the User Account

      In a Microsoft Exchange 2003 environment, you must delegate “Exchange View Only Administrator” permissions to the user account to allow only administrators (with Exchange View Only permissions) to log in to the user accounts on the Exchange Server and view the Exchange configuration.

      A user account is a standard Windows account used by a regular Exchange user.

      Procedure
        Step 1   Log in to the Exchange Server user interface and create a new user account.
        Step 2   Open System Manager and under Administrative Groups, navigate to the administrative group to which you want to add the account that you created.
        Step 3   Right-click the group and choose Delegate Control to start the Exchange Administration Delegation wizard.
        Step 4   Click Add, navigate to the user account that you created, and choose it.
        Step 5   Assign the Exchange View Only Administrator role to the account.

        What to Do Next

        Granting Receive-As Permissions on User Mailboxes

        Granting Receive-As Permissions on User Mailboxes

        The IM and Presence Service requires additional Receive-As account permissions to inspect the calendars of users on the Microsoft Exchange Server. We recommend that you assign this permission at a higher level (such as mail storage group) to enable read-only access to all the mailboxes in the mail storage group.

        Procedure
          Step 1   On the Exchange Server, open the System Manager.
          Step 2   Under Administrative Groups, navigate to First Administrative Group > Servers > First Server > Mailbox Store.
          Step 3   Right-click the mailbox store, and choose Properties. Under the Security tab, enter the name of the account for which you need to access calendaring information.
          Note    The IM and Presence Service only requires Receive-As permissions on the account to enable it to log in to that account when it connects to the Exchange Server. This account does not typically receive mail so you do not need to be concerned about allocating space for it.

          What to Do Next

          Verifying Permissions on the Microsoft Exchange 2003 Account

          Verifying Permissions on the Microsoft Exchange 2003 Account

          Follow this procedure to verify the permissions on the Exchange 2003 account.

          Before You Begin

          This procedure applies to Exchange Server 2003 SP1 and later releases.

          Procedure
            Step 1   Use Internet Explorer to connect to the following URL:

            https://server/exchange/user@domain

            Where server = server name, user = user name (some user other than Receive-As account), domain = exchange domain.

            Step 2   Log in using the Receive-As credentials. If these credentials allow you to access the OWA account, it verifies that the permissions have propagated successfully to the Exchange Server.

            What to Do Next

            Configuring the Presence Gateway for Microsoft Exchange Integration

            Microsoft Exchange 2007 Configuration over WebDAV

            You must complete the following tasks when configuring access to mailboxes on the Exchange 2007 Server.

            For detailed instructions, see the Exchange Server 2007 documentation at the following URL: http:/​/​technet.microsoft.com/​en-us/​library/​bb124558(EXCHG.80).aspx


            Tip


            • If the characters ~, #, %, +, &, |, *, or / are part of a user's email address, then Exchange calendar integration using WebDAV does not work for that user.
            • If you receive an error message in the Exchange Server Status area of the Presence Gateway Configuration window that indicates the Exchange Server is unreachable but that the certificate is configured properly, then the Receive-As account is configured improperly. You must recreate the account following the procedures in this section.

            Windows Security Policy Settings

            IM and Presence Service integration with Microsoft Exchange supports various authentication methods including Windows Integrated authentication (NTLM).


            Note


            The IM and Presence Service supports NTLMv1 Windows Integrated authentication only and does not currently support NTLMv2.


            Some Windows network security policies allow NTLMv2 authentication only, which prevents the integration between the IM and Presence Service and Exchange from functioning (both WebDAV and EWS). You must verify that NTLMv2 authentication is not enabled on each Windows server running Exchange. If NTLMv2 authentication is enabled, disable the setting and reboot the server to properly apply the new security setting.

            Complete the following procedure to verify the current value of NTLM authentication and if necessary, to disable NTLMv2 authentication.

            Verifying Windows Security Settings

            Procedure
              Step 1   On the Windows Server running Exchange, choose Start > Administrative Tools > Local Security Policy.
              Step 2   Navigate to Security Settings > Local Policies > Security Options.
              Step 3   Choose Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers.
              Step 4   Verify that the Require NTLMv2 session security check box is unchecked.
              Step 5   If the Require NTLMv2 session security check box is checked, complete the following steps:
              1. Uncheck the check box Require NTLMv2 session security.
              2. Click OK.
              Step 6   Reboot the Windows Server running Exchange to apply the new security settings.

              What to Do Next

              Adding a Mailbox to the Exchange View Only Administrator Account

              Adding a Mailbox to the Exchange View Only Administrator Account

              Follow this procedure to add a mailbox to the Exchange View Only Administrator account.


              Note


              Accounts without a mailbox in the specified storage do not work, and the account stops functioning if you remove the mailbox at any stage.
              Procedure
                Step 1   Log in to Microsoft Exchange Server 2007 user interface using an account that has been delegated the Exchange View Only Administrator role.
                Step 2   Open the Exchange Management Console (EMC) on the Exchange 2007 Server.
                Step 3   Choose Recipient Configuration in the console tree.
                Step 4   Click New Mailbox, and complete the New Mailbox wizard: For User Logon Name (User Principal Name), enter the Microsoft domain name in which the user account resides followed by the name that the user requires to log in to the mailbox.

                Example

                msoft-domain-name\username


                What to Do Next

                Exchange View Only Administrator Control Delegation to the User Account

                Exchange View Only Administrator Control Delegation to the User Account

                In an Exchange 2007 environment, you must delegate “Exchange View Only Administrator” permissions to the user account to allow only administrators (with Exchange View Only permissions) to log in to the user accounts on the Exchange Server and view the Exchange configuration.

                A user account is a standard Windows account used by a regular Exchange user.

                You can delegate “Exchange View Only Administrator” permissions to the user account through the Exchange Management Console (EMC) or the Exchange Management Shell (EMS).

                Delegating Through the Microsoft Exchange Management Console

                Procedure
                  Step 1   On Exchange Server 2007, open the Exchange Management Console (EMC).
                  Step 2   In the console tree, right-click Organization Configuration.
                  Step 3   Choose Add Exchange Administrator, navigate to the account that you created, and choose it.
                  Step 4   Assign the Exchange View Only Administrator role to the account.

                  What to Do Next

                  Granting Receive-As Permissions on User Mailboxes

                  Delegating Through the Microsoft Exchange Management Shell

                  Procedure
                    Step 1   For command line entry, open the Exchange Management Shell (EMS).
                    Step 2   Run the Add-Exchange command with associated arguments from the Run line or from the Command Prompt in the EMS.

                    The following provides the syntax and example of the command:

                    Syntax

                    Add-ExchangeAdministrator -Role role -Identity identity

                    Example

                    Add-ExchangeAdministrator -Role ViewOnlyAdmin -Identity impsdmin


                    What to Do Next

                    Granting Receive-As Permissions on User Mailboxes

                    Granting Receive-As Permissions on User Mailboxes

                    Use the following procedure to grant “Receive-As” permissions on the user mailboxes.


                    Note


                    This task cannot be completed using the Exchange Management Console (EMC).
                    Procedure
                      Step 1   Open the Exchange Management Shell (EMS) for command line entry.
                      Step 2   Run the Add-ADPermission command in the EMS as follows:

                      Syntax

                      Add-ADPermission -Identity Mailbox_Store -User Trusted_User -ExtendedRights Receive-As

                      Example

                      Add-ADPermission -Identity First_Storage_Group -User imps_admin -ExtendedRights Receive-As


                      What to Do Next

                      Verifying Permissions on the Microsoft Exchange 2007 Account

                      Verifying Permissions on the Microsoft Exchange 2007 Account

                      After you have assigned the permissions to the Exchange 2007 account, you must verify that the permissions propagate to mailbox level and that you can access the mailbox of the end-user. On Exchange 2007, it takes some time for the permissions to propagate to mailboxes.

                      Before You Begin
                      Procedure
                        Step 1   Open the Exchange Management Shell (EMS) for command line entry.
                        Step 2   Verify that the Exchange account is a member of the"ExchangeView-Only Administrator" group as follows:
                        1. Run this command in the EMS:

                          ([ADSI]"LDAP://CN=imps_admin,CN=Users,DC=r7,DC=com").memberof

                          Note   

                          The CN=imps_admin, CN=users, DC=r7, DC=com is the DN (Distinguished Name) of the Exchange account. To determine the DN, use adsiedit.msc. Also verify the DN with your Active Directory administrator if required.

                        2. Ensure that the command output indicates the Exchange account is a member of "Exchange View-Only Administrator" group, as follows:

                          Example Command Output

                          CN=Exchange View-Only Administrators,OU=Microsoft Exchange Security Groups,DC=r7,DC=com

                        Step 3   Verify that the Exchange account has "Receive-As" permissions on the mail storage group as follows:
                        1. Run this command in the EMS:

                          Get-ADPermission First_Storage_Group -User imps_admin | Format-Table -AutoSize

                          Note   

                          The First_Storage_Group is the name of the mail storage group and imps_admin is the Exchange account.

                        2. Ensure that the command output indicates the Exchange account has "Receive-As" permission on the mail storage group, as follows:

                          Example Command Output
                          Identity-------- User------- Deny--------- Inherited-------- Rights--------
                          HTLUO-MAIL\ First_Storage_Group R7\imps_admin False False ReceiveAs-
                        Step 4   Verify that the Exchange account has permissions on an end-user mailbox as follows:
                        1. Run this command in the EMS:

                          Get-MailboxPermission jdoe -User imps_admin | Format-Table -AutoSize

                          Note   

                          The jdoe is the mailbox of the end-user and imps_admin is the Exchange account.

                        2. Ensure that the command output indicates that the Exchange account has FullAccess permission on jdoe’s mailbox, as follows:

                          Example Command Output
                          Identity------ User----- AccessRights----- AccessRights----- IsInherited-----
                          r7.com/Dallas/jdoe R7\imps_admin {FullAccess} {FullAccess} True
                        Note   

                        Full Access permission on a user mailbox is inherited from the higher-level permission, in this instance, from the First_Storage_Group. If the command (that you run in Step 4) fails to return output, the permission has not yet propagated to the mailbox. Do not proceed until you see that the Exchange account has FullAccess on the mailbox of the end-user.


                        What to Do Next

                        Enable Authentication on the Exchange 2007 and Later Editions Virtual Directories

                        Enable Authentication on the Microsoft Exchange 2003 and 2007 Virtual Directories

                        You must enable basic authentication on the Exchange virtual directories (/exchange and /exchweb) for Microsoft Office Outlook Web Access (OWA) to work properly. The /exchange directory handles mailbox access requests for OWA and WebDAV. The /exchweb directory contains resource files used by OWA and WebDAV. You can also optionally enable Windows Integrated Authentication on the Exchange virtual directories. Furthermore, Forms Based Authentication (FBA) can be optionally enabled.

                        The procedure that follows is for WebDAV integrations on Exchange Server 2003 and 2007 running Windows Server 2003.

                        Procedure
                          Step 1   From Administrative Tools, open Internet Information Services and choose the server.
                          Step 2   Choose Web Sites.
                          Step 3   Choose Default Web Site.
                          Step 4   Right click either the /exchange or /exchweb directory folder and choose Properties.
                          Step 5   Choose the Directory Security tab.
                          Step 6   Under Authentication and access control, click Edit.
                          Step 7   Under Authentication, ensure that the Basic Authentication and Integrated Windows check boxes are checked.
                          Step 8   [Optional] If you want to enable FBA for the WebDAV integration between the IM and Presence Service and Exchange, complete the following steps: Basic authentication is enabled by default for OWA when FBA is chosen.
                          1. Open the Exchange Management Console (EMC).
                          2. From the left pane, choose Server Configuration > Mailbox.
                          3. Choose the appropriate server in the Mailbox pane and choose the WebDAV tab.
                          4. Right-click Exchange and choose Properties.
                          5. Choose the Authentication tab.
                          6. Choose Use forms-based authentication and under Logon Format choose Domain\user name.
                          7. Click OK.
                          8. Right-click ExchWeb and choose Properties.
                          9. Choose the Authentication tab.
                          10. Choose Use forms-based authentication and under Logon Format choose Domain\user name.
                          11. Click OK.