Table 1 Configuration tasks for Microsoft Exchange 2003 Components
Task
Procedure
Important Notes
Create a Service Account and add it as a member of
the
"Exchange View Only Administrator" security group.
Create a new service account in
Active Directory Users and Computers (ADUC) on the
Exchange server.
Create a new security group in
Active Directory Users and Computers (ADUC) on the
Exchange server. Name it Exchange View Only Administrator.
Right-click the Exchange View Only Administrator group
that you created, and select
Properties. Under the Members tab, add the service
account that you created to the group.
Open System Manager on the Exchange server and under
Administrative Groups, navigate to the Exchange View Only Administrator group.
Right-click the group and select
Delegate Control to start the Exchange
Administration Delegation Wizard.
Select
Add and navigate to the group that you created, and
select it.
Assign the Exchange View Only Administrator role to the
group.
You may already have configured an administrator
account on the Exchange server. We recommend, however, that you create a
separate administrator account for Exchange integration because the default
administrator configuration may not let you sign into other user accounts on
the Exchange server.
Create User Accounts and Delegate Exchange View Only
Administrator Control to the User Account
Create a new user account on the Exchange server.
Open System Manager on the Exchange server and under
Administrative Groups, navigate to the administrative group to which you want
to add the account that you created.
Right-click the group and select
Delegate Control to start the Exchange
Administration Delegation Wizard.
Select
Add and navigate to the user account that you
created, and select it.
Assign the Exchange View Only Administrator role to the
account.
In an Exchange 2003 environment, you must delegate
"Exchange View Only Administrator" permissions to the user account to allow
only administrators (with Exchange View Only permissions) to sign into the user
accounts on the Exchange server and view the Exchange configuration.
A user account is a standard Windows account used by
a regular Exchange user.
Grant Receive As Permissions on User Mailboxes
Open the System Manageron the Exchange server and under Administrative Groups,
navigate to
First Administrative
Group > Servers > First
Server > Mailbox Store.
Right-click the mailbox store, and select
Properties. Under the Security tab, enter the name
of the account for which you need to access calendar ing information.
Assign Receive As permisisons to the account and all
associated mailbox stores.
IM and Presence requires additional Receive As
account permissions to inspect the calendars of users on the Exchange server.
We recommend that you assign this permission at a higher level (such as mail
storage group) to enable read-only access to all the mailboxes in the mail
storage group.
Troubleshooting Tips
IM and Presence only requires Receive As permissions on the account
to enable it to sign in to that account when it connects to the Exchange
server. Note that this account does not typically receive mail so you do not
need to be concerned about allocating space for it.
If you receive an error message indicating that the Exchange
server is down and the certificate is configured properly, then the Receive As
account is not configured properly. Recreate the account using the steps in
this procedure.
This procedure applies to Microsoft Exchange Server 2003 SP1
and later releases.
Procedure
Step 1
Use Internet Explorer to connect to the following URL:
https://server/exchange/user@domain
Where server = server name, user = user name (some user other than
receive-as acccount), domain = exchange domain
Step 2
Sign in using the receive-as credentials. If these credentials
allow you to access the OWA account, it verifies that the permissions have
propagated successfully to the Exchange server.
Microsoft Exchange 2007 configuration checklist (WebDAV)
The following table provides a summary checklist to follow when configuring access to mailboxes on the Microsoft Exchange 2007 server. For detailed instructions, see the Microsoft Server 2007 documentation at the following URL: http://technet.microsoft.com/en-us/library/bb124558(EXCHG.80).aspx
Table 2 Configuration tasks for Microsoft Exchange 2007 Components
Task
Procedure
Important Notes
Add a Mailbox to the Exchange View Only Administrator account.
Sign into the Exchange 2007 server using an account that has been delegated the Exchange View Only Administrator role.
Open the Exchange Management Console (EMC) on the Exchange 2007 server.
Select Recipient Configuration in the console tree.
Select New Mailbox, and complete the New Mailbox wizard
For User Logon Name (User Principal Name), enter the Microsoft domain name in which the user account resides followed by the name that the user requires to sign in to the mailbox.
Example: msoft-domain-name\username
Accounts without a mailbox in the specified storage will not work, and the account will stop functioning if you remove the mailbox at any stage.
Delegate Exchange View Only Administrator Control to the Account
Via the Exchange Management Console (EMC)
Open the EMC on the Exchange 2007 server.
Right-click Organization Configuration in the console tree.
Select Add Exchange Administrator and navigate to the account that you created, and select it.
Assign the Exchange View Only Administrator role to the account.
Via the Exchange Management Shell (EMS)
Open the EMS for command line entry.
Run the Add-Exchange command with associated arguments from the Run line or from the Command Prompt in the EMS.
The following provides the syntax and example of the command:
In an Exchange 2007 environment, you must delegate "Exchange View Only Administrator" permissions to the user account to allow only administrators (with Exchange View Only permissions) to sign into the user accounts on the Exchange server and view the Exchange configuration.
A user account is a standard Windows account used by a regular Exchange user.
Grant Receive As Permissions on User Mailboxes
Via the Exchange Management Shell (EMS)
Open the EMS for command line entry.
Run the Add-ADPermission command in the EMS as follows:
You cannot use the Exchange Management Console (EMC) to complete this step.
Troubleshooting Tips
IM and Presence only requires Receive As permissions on the account to enable it to sign in to that account when it connects to the Exchange server. Note that this account does not typically receive mail so you do not need to be concerned about allocating space for it.
If you receive an error message indicating that the Exchange server is down and the certificate is configured properly, then the Receive As account is not configured properly. Recreate the account using the steps in this procedure.
After you have assigned the permissions to the Exchange 2007 account, you must verify that the permissions propagate to mailbox level and that you can access the mailbox of the end-user. On Exchange 2007, it takes some time for the permissions to propagate to mailboxes.
Before You Begin
Delegate the appropriate roles and Receive-As permissions to the Exchange account. See the Microsoft Exchange 2007 Configuration Checklist topic.
For the purpose of the examples in the following procedures, assume that the Exchange account is named "cupsadmin" and the mail storage group is named "First Storage Group".
Procedure
Step 1
Open the Exchange Management Shell (EMS) for command line entry.
Step 2
Verify that the Exchange account is a member of the"ExchangeView-Only Administrator" group as follows:
The "CN=CUPS Admin,CN=Users,DC=r7,DC=com" is the DN (Distinguished Name) of the Exchange account. To determine the DN, use adsiedit.msc. Also verify the DN with your Active Directory administrator if required.
Ensure that the command output indicates the Exchange account is a member of "Exchange View-Only Administrator" group, as follows:
Example: Command Output
CN=Exchange View-Only Administrators,
OU=Microsoft Exchange Security Groups,
DC=r7,
DC=com
Step 3
Verify that the Exchange account has "Receive-As" permissions on the mail storage group as follows:
The "jdoe" is the mailbox of the end-user. The "cupsadmin" is the Exchange account.
Ensure that the command output indicates that the Exchange account has FullAccess permission on jdoe’s mailbox, as follows:
Example: Command Output
Identity- - - - - -
User - - - -
AccessRights- - - - - - - -
IsInherited- - - - - - - -
Deny- - -
r7.com/Dallas/John Doe
R7\cupsadmin
{FullAccess}
True
False
Truobleshooting Tips
Full Access permission on a user mailbox is inherited from the higher-level permission, in this instance, from the "First Storage Group". If the command (than you run in Step 4) fails to return output, the permission has not yet propagated to the mailbox. Do not proceed until you see that the Exchange account has FullAccess on the mailbox of the end user.
Enable authentication on the Exchange 2003/2007 virtual directories
You must enable basic authentication on the Exchange virtual directories (/exchange and /exchweb) for Microsoft Office Outlook Web Access to work properly. The /exchange directory handles mailbox access requests for OWA and WebDAV. The /exchweb directory contains resource files used by OWA and WebDAV. You can also optionally enable Windows Integrated Authentication on the Exchange virtual directories. Furthermore, Forms Based Authentication can be optionally enabled.
The procedure that follows is for WebDAV integrations on Exchange 2003 and Exchange 2007 server running Windows Server 2003.
Procedure
Step 1
From Administrative Tools, open Internet Information Services and select the server.
Step 2
Select Web Sites and then Default Web Site.
Step 3
Right click either the /exchange or /exchweb directory folder and select Properties.
Step 4
Select the Directory Security tab.
Step 5
Under Authentication and access control, select Edit.
Step 6
Under Authentication, ensure that the Basic Authentication and Integrated Windows checkboxes are checked.
Step 7
[Optional] If you want to enable Forms Based Authentication, complete the following steps:
Open the Exchange Management Console (EMC).
From the left pane, select Server Configuration > Client Access.
Select the appropriate server in the Client Access pane and select the Outlook Web Access tab.
Right-select owa (Default Web Site) and select Properties.
Select the Authentication tab.
Select Use forms-based authentication and under Logon Format select Domain\user name.
Note
Basic authentication is enabled by default for OWA when Forms Based Authentication is selected.
Feedback
