Microsoft KB Archive/195681

= How to configure an Exchange mailbox for anonymous access =

Article ID: 195681

Article Last Modified on 8/23/2005

-

APPLIES TO


 * Microsoft Collaboration Data Objects 1.21
 * Microsoft Collaboration Data Objects 1.1
 * Microsoft Collaboration Data Objects 1.2
 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Windows NT 4.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q195681





SUMMARY
This step-by-step article describes how to configure a Microsoft Internet Information Server (IIS) that uses anonymous authentication to access a Microsoft Exchange Server mailbox. The primary purpose of this task is to allow for users who do not have an NT account on the network to send mail by using an Exchange Server.

The problem that you face is that Exchange requires an NT account against which to authenticate a user before Exchange gives access to any server resources. For an Internet application in which you grant anonymous access to your Web site, you must configure IIS and Microsoft Exchange Server to be able to send mail from an "anonymous" Exchange mailbox.

Configuring an NT account
The following steps assume that you have the required permissions for adding new users to the selected domain.  Open the User Manager for Domains. Note the domain in the title bar of the application. If this domain is not the domain to which you want to add a new user, select "Select Domain" from the User manager. Whatever domain is named in the title bar of the application will replace "YourDOMAIN" throughout this example.  On the User menu, click New User. Set the following properties:      Username:          AnonUser Full Name:        Anonymous User Description:      For anonymous Web access Password:         Fill in an appropriate password Confirm Password: Repeat password

User Must Change Password at Next Logon:            OFF

User Cannot Change Password:  ON*

Password Never Expires:          ON*

Account Disabled: OFF

Groups - Member of:      Domain Users and Domain Guests Profiles:       User Profiles or Home Directory settings are not required. Hours:          No settings are required Logon to:       Set as appropriate

Account Account Expires: Never Account Type:    Global Account for regular user accounts in the domain Dial-in Grant dialin permissions to user          OFF

Call Back          No Call Back Note You may set these values to OFF. If you set these values to OFF, you must make sure that you keep the password that IIS has synchronized with the password that the NT account has.  Click Add. If you have configured your server to automatically create an Exchange account, the Exchange User Properties dialog box appears. If the dialog box does not appear, you must open Microsoft Exchange Administrator and create a new mailbox. Follow the steps in the next section for setting up this mailbox. Before or after you create the new mailbox, click User Rights on the Policies menu in the User Manager.

</li> In the drop-down list, click Log on Locally</li> Click Add, and then add the AnonUser user. The user who you created now has user rights to log on locally to the Server Running IIS.</li></ol>

Configuring a mailbox
Open your Microsoft Exchange Administrator and then configure a new mailbox by following these steps. These steps assume that you have the required permissions on Microsoft Exchange Server to create new mailboxes. <ol> On the File menu, click New Mailbox. If you already have the Exchange User Properties dialog box, go to step 2.</li>  On the General tab, fill in the following properties: <pre class="fixed_text">     First Name:          Anonymous Last Name:          User Display:            Anonymous User Alias:              AnonUser Primary NT Account: YourDOMAIN\AnonUser Note in this list, the primary NT Account indicates the domain and the user account that you configured in the "Configuring an NT account" section. </li></ol>

Configuring the virtual directory

 * 1) Start the Internet Service Manager Microsoft Management Console (MMC).
 * 2) Right-click the Web site from which you want to allow for anonymous mail to be sent.
 * 3) Click the Directory Security tab.
 * 4) Click Edit under Anonymous Access and Authentication Control.
 * 5) Click Allow Anonymous, and then click Edit.
 * 6) Click to clear the Enable Automatic Password Synchronization check box.
 * 7) Enter the DOMAIN\UserID in the box, such as YourDOMAIN\AnonUser. This value should be the domain account that you that you created in this article.
 * 8) Enter the password of the user in the Password box, and then re-enter the password.
 * 9) Click OK until you have closed all dialog boxes.

How it works
Your system should now be configured to allow for an anonymous user to send mail from your Exchange server. When a user accesses the Web, the following events occur: <ol> IIS determines that Anonymous authentication is being used. IIS assigns the new session to the account that you specified when you configuring the virtual directory, such as "YourDOMAIN\AnonUser".</li> The application requests the use of an Exchange Server resource.</li> The Exchange server challenges the application to authenticate itself. The Exchange server does this by passing the application a random value.</li> IIS uses the account from step 1 ("YourDOMAIN\AnonUser") and the password of the user that is stored in IIS to generate a hash from the random value.</li> IIS passes the account and the hash back to Exchange.</li> Exchange Server sends the account ("YourDOMAIN\AnonUser"), the hash, and the original random value to a primary or backup domain controller.</li> The domain controller generates its own hash from the account and the random value that Exchange passed to the domain controller.</li> The domain controller compares the following hashes: <ul> The hash that the domain controller generated.</li> The hash that Exchange passed to the domain controller.</li></ul>

If the hashes are the same, the domain controller tells Exchange to allow the user access to the resource.

The critical step is to perform the following actions: <ul> Provide IIS with an account into which to load the application.</li> Provide the correct credentials.</li></ul>

If the system is not correctly configured, the application will not be granted access to the Exchange resource.</li></ol>

<div class="references_section">