The Exchange 2007 Wiki

Menu

Getting Started
Programming Exchange
PowerShell Scripts

Organization Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Server Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Edge Transport
Recipient Management
Tips and Tricks
FAQs
  - Definitions
  - Ask a Question

Site Index
Home


Wall of Fame
Syndication
Feedback

The content on this site is provided "AS IS" with no warranties, and confers no rights.

Authentication

This section is about how Exchange2007 Transport deals with Authentication. Both Receive and Send Connectors have a property called AuthMechanisms. For ReceiveConnectors, this (multi valued or flagged enum) property determines which authentication mechanisms are advertised and accepted by the SMTP server. The following table lists and describes the possible values:

ReceiveConnector AuthMechanisms
 Description
None
 No authentication
Tls
 Advertise STARTTLS
Integrate
 Anything negotiated through SpNego (such as
NTLM and Kerberos).
BasicAuth
 Basic authentication (AUTH LOGIN)
BasicAuthPlusTls
 Basic Authentication (AUTH LOGIN), but only
after TLS has been set up.
ExchangeServer
 Exchange Server authentication
(Direct Trust, GSSAPI and Mutual GSSAPI)
ExternalAuthoritative
 Consider any client able to connect another
authoritative server

For SendConnectors this property can only have a single value. The possible values and their descriptions are:

SendConnector AuthMechanism
 Description
None
 No authentication
BasicAuth
 Basic authentication (AUTH LOGIN)
BasicAuthPlusTls
 Basic Authentication over TLS
ExchangeServer
 Exchange Server authentication
(Direct Trust, GSSAPI and Mutual GSSAPI)
ExternalAuthoritative
 Consider any server to which to connect as
another authoritative server

ExternalAuthoritative needs a little bit of explanation. This type can be used whenever the administrator is sure that the network connection between 2 servers is trusted (Eg. IPSec), and that other SMTP is also fully trusted (including all the content that it can submit). This is useful to establish mailflow between an E2K7 SMTP server and a 3rd party SMTP server. With ExternalAuthoritative, the Receive Connector’s RemoteIPRanges will typically be used to map those 3rd party servers to this specific Receive Connector. For example, suppose the 3rd party SMTP server has an IP address of 10.10.10.11, the following 2 commands can be used to establish mailflow with that other server:

set-receiveconnector From3dPartySmtp
–AuthMechanism:ExternalAuthoritative
–RemoteIPRanges:10.10.10.11

set-sendconnector To3rdPartySmtp
-SmartHostAuthMechanism:ExternalAuthoritative
-SmartHosts:10.10.10.11

With ExternalAuthoritative, a session gets assigned all server permissions when a new session comes in which maps to a ReceiveConnector with the AuthMechanism property set to this value. With authentication mechanisms other than ExternalAuthoritative, None and Tls a session gets assigned all the permissions granted to the authenticated remote identity at the end of a successful authentication process.

Site

Changes
Index
Search

 

User

 

Log In
Register

 
 

Last Modified 7/30/08 2:04 AM