Lesson 3: Configuring Authentication


This lesson looks at the authentication methods configurable on Internet protocol virtual servers and at certificate-based encryption. The lesson also introduces client configuration, which is discussed in detail in Chapter 10.

start example

After this lesson, you will be able to

  • Obtain, install, and associate a certificate to enable SSL encryption on HTTP, NNTP, IMAP4, and POP3 virtual servers, and TLS encryption on SMTP virtual servers

  • List the encryption methods available on all supported Internet protocol virtual servers and both back-end and front-end Exchange servers

  • Distinguish between the various authentication methods available

  • Configure the appropriate levels of authentication on virtual servers

Estimated lesson time: 45 minutes

end example

Configuring Virtual Server Authentication Methods

Authentication ensures that the user is who he or she claims to be. More powerful authentication methods such as Kerberos ensure that the e-mail server is authenticated in addition to the user. Encryption ensures that only the recipient for whom a message is intended can read it.

Authentication Exchange supports three methods of user authentication. These are anonymous authentication, basic authentication, and Integrated Windows Authentication.

Anonymous Authentication This is the most common method used for Internet communication and provides limited access to specific public folders and directory information. Anonymous authentication is supported by all clients and is used to allow users to access unsecured content in public folders.

Basic Authentication Exchange performs simple challenge and response authentication by requiring that users enter their user name, domain name, and password to gain access to mailbox data. Most client computers support basic authentication. This method provides the simplest level of security.

Important

Basic authentication sends a user's name and password as clear text. Therefore, it is insecure. Basic authentication should not be used unless there is no alternative or unless the entire TCP/IP session is encrypted.

Integrated Windows Authentication This method offers security, efficient communication, and transparency. You can use Integrated Windows Authentication when you have Windows-based clients that do not use encryption. This method uses Kerberos for clients running Windows 2000 Server or later, and new technology local area network (LAN) manager (NTLM) for Windows clients that are not running Active Directory. When you use Integrated Windows Authentication, the password is sent as an encrypted value.

Encryption

Encryption scrambles the contents of an e-mail message into a code that can only be read by the person who has the key to decode it on his or her computer. Authentication does not encrypt message data. Therefore, to make your data truly secure, you should encrypt e-mail messages transferred between the client and the server. Because TLS and SSL encrypt the entire TCP/IP session between the client and the server, the session is secure even if you chose a logon authentication method, such as basic authentication, that does not encrypt the user name and password.

HTTP, POP3, IMAP4, and NNTP virtual servers can use SSL encryption. SMTP virtual servers use TLS, which is a development of SSL. To use encryption, a virtual server must have a certificate issued by a trusted CA.

Exam Tip

Remember that encryption scrambles the message. It is not an authentication method and does not authenticate the user. Remember also that encryption can be specified on a virtual server only if basic authentication is enabled. Finally, remember that encryption can be implemented only if a certificate is obtained. Some dialog boxes let you check the encryption setting before you obtain the certificate, but this has no effect until the certificate is installed.

Other Authentication Methods

Some POP3 and IMAP4 clients use Simple Authentication and Security Layer (SASL) authentication. This authentication method uses Kerberos or NTLM to authenticate hosts. SASL can be specified on POP3 and IMAP4 virtual servers on back-end Exchange Server 2003 servers.

You can specify digest authentication on HTTP virtual servers. This authenticates Windows domain servers rather than users. The settings on the Exchange virtual server (the default HTTP virtual server) also let you specify Microsoft .NET Passport authentication.

Supported Authentication Methods

Available authentication methods can vary, depending both upon the type of virtual server and upon whether the Exchange server is configured as a back-end or a front-end server. Table 9-3 gives the details.

Table 9-3: Supported Authentication Methods

Virtual server protocol

Exchange server configuration

Supported authentication methods

POP3 and IMAP4

Back-end

Basic
SASL

HTTP

Back-end

Anonymous
Basic
Digest
Integrated Windows Authentication .NET Password (Exchange virtual server only)

NNTP and SMTP

Back-end and front-end

Anonymous
Basic
Integrated Windows Authentication

POP3 and IMAP4

Front-end

Basic (cannot be changed)

HTTP

Front-end

Anonymous
Basic
Digest
.NET Password (Exchange virtual server only) Integrated Windows Authentication (Exchange virtual server only)

Encryption can be configured on virtual servers on both back-end and front-end Exchange servers. Typically, encryption is configured on front-end servers that connect to the Internet. TLS encryption can be used on SMTP virtual servers, and SSL encryption on all other types of virtual servers. Both types of encryption require a certificate.

Configuring Client Access to Virtual Server Protocols

Exchange Server 2003 supports HTTP and WebDAV to provide enhanced functionality for HTTP clients retrieving and manipulating information in Web storage systems. You can also configure an HTTP virtual server to support OWA and allow clients to access e-mail, calendar information, shared applications, and any content in the public folder store, simply and efficiently by using a Web browser.

IMAP4 clients can access mail in an Exchange mailbox without downloading the entire mailbox to a specific computer. Exchange uses NNTP to enable Outlook users to participate in online discussions over the Internet. Exchange also enables users running client applications that support NNTP to access newsgroup public folders on computers running Exchange.

Exchange allows POP3 clients to access user inboxes on Exchange. However, POP3 users cannot access other public or private folders. POP3 is not intended to provide full manipulation of mail on the server. Although messages can be left on the server, mail is usually downloaded to a user's computer and then deleted.

To configure POP3 and IMAP4 clients, you need to create a mailbox-enabled user, specify account information on the client, and set per-user options. These procedures are described in detail in Chapter 10.

Practice: Obtaining, Installing, and Associating a Certificate for an IMAP4 Virtual Server on a Front-End Exchange Server

This procedure is used to obtain, associate, and install an encryption certificate on the default IMAP4 virtual server on the front-end Exchange server, Server02. The same procedure can be used to obtain, install, and associate a certificate on the following virtual servers:

  • An IMAP4 virtual server on a back-end Exchange server

  • A POP3 virtual server on either a front-end or a back-end Exchange server

  • An NNTP virtual server on either a front-end or a back-end Exchange server

  • An SMTP virtual server on either a front-end or a back-end Exchange server

To obtain, install, and associate a certificate on an HTTP virtual server on either a front-end or a back-end Exchange server, you need to access the Web Server Certificate Wizard by using the IIS Manager console rather than Exchange System Manager.

If you have not already done so, you need to start the Exchange IMAP4 service on Server02 as described in Lesson 1. This procedure assumes that this service and the default virtual server are running.

To obtain, install, and associate a certificate, perform the following ssteps:

  1. Start Exchange System Manager.

  2. Navigate to Administrative Groups\First Administrative Group\Servers\Server02 \Protocols\IMAP4.

  3. Right-click Default IMAP4 Virtual Server, and then click Pause.

  4. Right-click Default IMAP4 Virtual Server, and then click Properties.

  5. On the Access tab, click Certificate.

  6. To request a new certificate, complete the Web Server Certificate Wizard. When prompted, select the Create A New Certificate option. Because there is a CA in your domain, you can obtain the certificate immediately.

  7. Click Apply to save your settings.

  8. To install the certificate, click Certificate again.

  9. Complete the Web Server Certificate Wizard again. This time, select Assign An Existing Certificate when prompted.

  10. To associate the certificate and require a secure channel, click Communication on the Access tab.

  11. Click Require Secure Channel.

  12. If 128-bit encryption is supported on the computer hosting the IMAP4 virtual server, click Require 128-bit Encryption.

  13. Click OK to close the virtual server Properties dialog box.

  14. Restart the virtual server.

    Note

    You do not need to obtain a certificate every time you want to enable encryption on a virtual server. If you have obtained a certificate for one virtual server on your Exchange server, you can use the Web Server Certificate Wizard to assign it to other virtual servers.

Practice: Configuring Authentication

This procedure is the same for all virtual servers, except for the options that can be set. For the HTTP default virtual server, you use the IIS Manager console to access the Authentication sheet through the Directory Security tab of the Exchange Properties box, but otherwise the procedure is identical.

Exercise 1: Configure Authentication on Virtual Servers on a Back-End Exchange Server

To configure authentication, perform the following steps:

  1. Start Exchange System Manager.

  2. Navigate to Administrative Groups\First Administrative Group\Servers\Server01 \Protocols.

  3. Expand HTTP, NTTP, POP3, IMAP4, and SMTP.

  4. Right-click any virtual server except the Exchange virtual server (the HTTP default virtual server), and then click Pause.

  5. Right-click the paused virtual server, and then click Properties.

  6. On the Access tab, click Authentication.

  7. Specify the authentication settings. Figures 9-9 through 9-12 show the available options.

    click to expand
    Figure 9-9: Authentication options for an additional HTTP virtual server on a back-end Exchange server

    click to expand
    Figure 9-10: Authentication options for POP3 and IMAP4 virtual servers on a back-end Exchange server

    click to expand
    Figure 9-11: Authentication options for an NNTP virtual server

    click to expand
    Figure 9-12: Authentication options for an SMTP virtual server

  8. Click OK to close the virtual server Properties dialog box.

  9. Restart the virtual server.

Exercise 2: Configure Authentication on the Default HTTP Virtual Server on a Front-End Exchange Server

The purpose of this exercise is to describe the use of the IIS Manager console to configure authentication settings on a default HTTP virtual server. The procedure also illustrates the difference between HTTP virtual servers on a back-end and on a front-end Exchange server.

  1. Start the IIS Manager console on Server02.

  2. Expand Internet Information Services\Server02\Web Sites\Default Web Site \Exchange.

  3. Right-click Default Web Site, and then click Pause.

  4. Right-click Exchange, and then click Properties.

  5. In the Authentication And Access Control section on the Directory Security tab, click Edit.

  6. Configure the settings as required. As shown in Figure 9-13, Integrated Windows Authentication and .NET Passport authentication are available on an Exchange virtual server on both front-end and back-end Exchange servers.

    click to expand
    Figure 9-13: Authentication options for an Exchange virtual server on a front-end or back-end Exchange server

    However, on an additional HTTP server on a front-end Exchange server, these options are not available. Figure 9-14 shows the authentication settings available in this case.

    click to expand
    Figure 9-14: Authentication options for an additional HTTP virtual server on a front-end Exchange server

  7. Click OK to close the Authentication dialog box.

  8. Click OK to close the Exchange Properties dialog box.

  9. Restart the default Web site.

Exercise 3: Examine Authentication Settings on a POP3 Virtual Server on a FrontEnd Exchange Server

The purpose of this exercise is to examine the Authentication dialog box on a POP3 virtual server on a front-end Exchange server. The Authentication dialog box on an IMAP4 virtual server on a front-end Exchange server looks exactly the same.

To examine authentication settings, perform the following steps:

  1. Start Exchange System Manager.

  2. Navigate to Administrative Groups\First Administrative Group\Servers\Server02 \Protocols\POP3.

  3. Right-click Default POP3 Virtual Server, and then click Properties.

  4. On the Access tab, click Authentication.

  5. The Authentication dialog box is shown in Figure 9-15. Note that on a front-end server, basic authentication is specified and cannot be changed. The only configuration possible is to enable encryption.

    click to expand
    Figure 9-15: Authentication dialog box for a POP3 virtual server on a front-end Exchange server

  6. Click OK to close the virtual server dialog box.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

  1. Which additional Internet protocol virtual servers support Integrated Windows Authentication? (Select all that apply.)

    1. HTTP, back-end

    2. HTTP, front-end

    3. NNTP, back-end

    4. NNTP, front-end

    5. POP3, back-end

    6. POP3, front-end

    7. IMAP4, back-end

    8. IMAP4, front-end

    9. SMTP, back-end

    10. SMTP, front-end

  2. On which types of virtual servers is the authentication method fixed and not configurable?

  3. Why is basic authentication considered a security risk?

Lesson Summary

  • There are three methods of user authentication: anonymous, basic, and Integrated Windows Authentication.

  • Encryption can be configured if basic authentication is used and a certificate is obtained and installed.

  • Available authentication methods can vary depending on whether the virtual server is on a back-end or a front-end Exchange server.

  • The authentication method on IMAP4 and POP3 virtual servers on front-end Exchange servers cannot be changed.

  • You configure the default HTTP virtual server (the Exchange server) using the IIS Manager console. You use Exchange System Manager to configure all other virtual servers.




MCSA/MCSE Self-Paced Training Kit (Exam 70-284(c) Implementing and Managing Microsoft Exchange Server 2003)
MCSA/MCSE Self-Paced Training Kit (Exam 70-284): Implementing and Managing MicrosoftВ® Exchange Server 2003 (Pro-Certification)
ISBN: 0735618992
EAN: 2147483647
Year: 2003
Pages: 221

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net