ID: Q195681
The information in this article applies to:
This article describes how to configure a Microsoft Internet Information Server (IIS) using anonymous authentication to access a Microsoft Exchange Server mailbox. The primary purpose of this is to allow users who do not have an NT account on your network to send mail using your Microsoft Exchange Server.
The problem you face is that Exchange requires an NT account against which to authenticate a user before it will allow access to any server resources. In the case of an Internet application in which you grant anonymous access to your Web site, you need to configure IIS and Microsoft Exchange Server to be able to send mail from an "anonymous" Exchange mailbox.
The following steps assume that you have the required permissions for adding new users to the selected domain.
1. Open the User Manager for Domains.
2. Note the domain in the title bar of the application. If this is not
the domain to which you want to add a new user, select "Select Domain"
from the User manager. Whatever domain is named in the title bar of
the application will replace "YourDOMAIN" throughout this example.
3. Select New User from the User menu. Set the following properties:
Username: AnonUser
Full Name: Anonymous User
Description: For anonymous Web access
Password: Fill in an appropriate password
Confirm Password: Repeat password
User Must Change
Password at Next
Logon: OFF
User Cannot
Change Password: ON*
Password Never
Expires: ON*
Account Disabled: OFF
Groups -
Member of: Domain Users and Domain Guests
Profiles: User Profiles or Home Directory settings
are not required.
Hours: No settings are required
Logon to: Set as appropriate
Account
Account Expires: Never
Account Type: Global Account for regular user accounts
in the domain
Dial-in
Grant dialin
permissions
to user OFF
Call Back No Call Back
NOTE: You may set these values to OFF. If you set these values OFF,
you need to make sure to keep the password that IIS has synchronized
with the password that the NT account has.
4. Choose Add. If you have configured your server to automatically create
an Exchange account, the Exchange User Properties dialog box appears.
If the dialog box does not appear, you need to open the "Microsoft
Exchange Administrator" and create a new mailbox. Follow the steps in
the next section for setting up this mailbox.
5. Before or after creating the new mailbox, select User Rights from the
Policies menu in the User Manager. Select "Log on Locally" from the
drop-down menu on the right. Choose Add, and add the "AnonUser." The
user you created now has rights to log on locally to the IIS server.
Open your Microsoft Exchange Administrator and configure a new mailbox as follows. These steps assume that you have the required permissions on Microsoft Exchange Server to create new mailboxes.
1. Select "New Mailbox" from the File menu. If you already have the
Exchange User Properties dialog box, you may skip to Step 2.
2. Fill in the following properties on the General Tab:
First Name: Anonymous
Last Name: User
Display: Anonymous User
Alias: AnonUser
Primary NT Account: YourDOMAIN\AnonUser
where the primary NT Account indicates the domain and user account
configured in the previous section.
1. Start the Internet Service Manager (Microsoft Management Console).
2. Right-click on the Web from which you want to allow anonymous mail to be
sent.
3. Select the "Directory Security" tab.
4. Choose "Edit" for "Anonymous Access and Authentication Control."
5. Turn on the "Allow Anonymous" option and choose "Edit."
6. Turn off "Enable Automatic Password Synchronization."
7. Enter the DOMAIN\UserID in the appropriate text box (such as
YourDOMAIN\AnonUser in this example). This should be the domain account
that you created earlier in this article.
8. Enter the user's password in the Password text box and repeat.
9. Click "OK" until you have closed all dialog boxes.
Your system should now be configured to allow an anonymous user to send mail from your Exchange server. When a user accesses the Web, the following events occur:
1. IIS determines that "Anonymous" authentication is in use. IIS assigns
the new session to the account you specified when configuring the
virtual directory ("YourDOMAIN\AnonUser" in this example).
2. The application requests the use of an Exchange Server resource.
3. The Exchange server challenges the application to authenticate
itself. It does this by passing it a random value.
4. IIS uses the account from step 1 ("YourDOMAIN\AnonUser") and the user's
password (stored in IIS) to generate a hash from the random value.
5. IIS passes the account and the hash back to Exchange.
6. Exchange Server sends the account ("YourDOMAIN\AnonUser"), the hash, and
the original random value to a Primary or Backup Domain Controller.
7. The Domain Controller generates its own hash from the account and random
value that Exchange passed to it.
8. The Domain Controller compares the hash it generated to the hash that
Exchange passed to it. If the values are the same, the Domain
Controller tells Exchange to allow the user access to the resource.
As you see, the critical step is in providing IIS with an account to
load the application in to, and to provide the correct credentials. If
the system is not configured properly, the application will not be
granted access to the Exchange resource.
Please see the following articles in the Microsoft Developer Network (MSDN) Library:
Keywords : kbCDO110 kbCDO120 kbCDO121 kbXchge kbMsg kbGrpMsg
Version : WINDOWS:1.1,1.2,1.21
Platform : WINDOWS
Issue type : kbhowto
Last Reviewed: April 7, 1999