Difference between revisions of "Active Directory Integration"

[unchecked revision][checked revision]
 
(44 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Synchronizing User Accounts with Active Directory =
+
{{DISPLAYTITLE:Synchronizing User Accounts with Active Directory}}
 +
{{Directory Services Preamble|Active Directory}}
  
In addition to adding users manually (as described in chapter "User Management"), MailStore can synchronize its internal user database with the Active Directory of your company.
+
<p class="msnote">'''Please note:''' MailStore Server does support neither subdomains nor domain trusts.
 +
The MailStore Server service must run as 'Local System account' and the server must be a member of the domain if you want to use 'Integrated Windows authentication'.</p>
  
During synchronization, user information and email addresses are gathered from Active Directory and recorded in MailStore; no changes are made to Active Directory.
+
== Accessing Directory Service Integration ==
== Accessing Active Directory Integration ==
+
{{Directory Services Accessing Configuration|Active Directory|mads_sync_01.png}}
  
Log on to MailStore Client as administrator. Click on ''Administrative Tools'' and then on ''Active Directory Integration''.
+
== Connection to Active Directory ==
 +
For synchronization MailStore Server requires information on how to connect to the Active Directory.  
  
[[File:mads_sync_01.png|center|400px]]
+
*'''Server (optional)'''<br/>DNS name or IP address of an Active Directory domain controller. If the MailStore Server machine is a member of the Active Directory, this setting is detected automatically.
 +
*'''Protocol'''<br/>The protocol used to communicate with an Active Directory domain controller.
 +
**''LDAP''<br/>The default protocol when accessing an Active Directory. Though parts of the connection is unencrypted the real payload is encrypted.
 +
**''LDAPS''<br/>Additionally SSL secured version. Be aware that a properly configured certificate infrastructure is required, in which the MailStore Server computer must classify the domain controller's certificate as trustworthy.
 +
*'''Base-DN (optional)'''<br/>Base DN of your Active Directory. Often the Base DN can be derived from the Active Directory domain name. For example, if the Active Directory domain name is ''company.local'' the Base DN usually is ''dc=company,dc=local''. The Base DN can also be selected by clicking the button left of the text field if access to an Active Directory domain controller is available. If the MailStore Server machine is a member of the Active Directory, this setting is detected automatically.
 +
*'''Authentication'''<br/>Define how the MailStore Server service should identify itself to the Active Directory:<br/><br/>
 +
**''Standard Authentication''<br/>If MailStore Server is not installed directly on an Active Directory domain controller, using standard authentication is required. In this case, fill out the ''User Name'' and ''Password'' fields; enter the user name in UPN notation, e.g. ''[email protected]''
 +
**''Windows Authentication''<br/>If MailStore Server is installed directly on an Active Directory domain controller, the MailStore Server service already has the necessary privileges to authenticate against Active Directory using Windows authentication.
  
== Specifying Connection Settings ==
+
=== User Database Synchronization ===
 +
After configuring the connection settings as described above, you can specify filter criteria for the Active Directory synchronization in this section.
  
Before the synchronization can be started, MailStore requires information on how to connect to the Active Directory server. In most cases it should be sufficient to click on ''Auto-Detect All Settings''. If successful, the following fields are filled out automatically.
+
*'''Synchronize Microsoft Exchange users only'''<br/>Only user accounts with email addresses configured in Active Directory will be taken into account by the synchronization. Clear this checkbox only if all Active Directory users should be created as MailStore Server users as well.
 +
**'''Synchronize users visible in address lists only'''<br/>Only Active Directory user accounts will be taken into account by the synchronization whose Exchange mailboxes are not hidden from Exchange address lists. This option can only be enabled if the option ''Synchronize Microsoft Exchange users only'' is enabled, too.
 +
*'''Synchronize enabled users only'''<br/>Only user accounts enabled in Active Directory will be taken into account by the synchronization. Deactivating this option may be useful if certain Exchange mailboxes should be archived whose Active Directory user accounts are deactivated by default.
 +
*'''Sync only these groups'''<br/>Choose one or several Active Directory security groups if you only want their members to be created as MailStore users. That way it's possible to exclude certain Active Directory accounts from being synchronized to MailStore, e.g. system accounts.
 +
*: <div class="msnote">'''Note:''' When the MailStore Server Computer is member of a domain, that is not the domain where users are synchronized from, ''Universal Groups'' may not be selectable. An error with the errorcode 1355 might be shown then.</div>
 +
* '''User Name Format'''<br/>Choose which naming scheme MailStore user names should follow:
 +
** ''SAM Account Name''<br/>The Pre-Windows 2000 user name.
 +
** ''User Principal Name (UPN)''<br/>The Windows user name including domain, e.g. ''[email protected]''
 +
** ''User Principal Name (UPN) Local Part''<br/>The Windows user name excluding domain, e.g. ''jane.doe''
 +
{{Directory Services Authentication|Active Directory}}
 +
{{Directory Services Options|Active Directory}}
 +
{{Directory Services Assign Default Privileges|an Active Directory}}
 +
{{Directory Services Run Synchronization|Active Directory}}
 +
[[File:Mads_sync_02.png|450px|center]]
  
Under Authentication, specify which user identification is to be used to access Active Directory.
 
  
== Executing the Synchronization ==
+
{{Directory Services Login with Directory Services Credentials|Active Directory}}
 +
To use ''Single-Sign-On (SSO)'' with ''Windows-Authentication'', the client and the MailStore Server computer must be members of the same domain and the client must be authenticated at the domain controller. Also, additional configuration steps are necessary as described in the articles [[MailStore_Client_Deployment|MailStore Client Deployment]] and [[MailStore_Outlook_Add-in_Deployment|MailStore Outlook Add-in Deployment]].
  
Under User Database Synchronization, after the connection settings have been specified (as described above), the MailStore user list can be synchronized with the Active Directory user list.
+
[[de:Active Directory-Integration]]
 
+
[[en:Active Directory Integration]]
The following options are available:
 
 
 
*'''Automatically create new users in MailStore'''<br/>
 
Clear this checkbox if, during Active Directory synchronization, no new users are to be created in MailStore. In this case, only the data of already existing MailStore users is updated.
 
*'''Synchronize Microsoft Exchange users only'''<br/>
 
Clear this checkbox only if all Active Directory users are to be created in MailStore as well.
 
*'''Synchronize only members of a group'''<br/>
 
Clear this Checkbox and enter a group name, if you want only members of that Active Directory group to be synchronized with you Mailstore Server.
 
 
 
'''To start, click on ''Synchronize Now'''''.
 
 
 
Click on ''Simulate Only'' to see what would happen during actual synchronization.
 
Background: Which Information is Copied?
 
 
 
If a user who does not yet exist in MailStore is located in Active Directory, the following steps are executed:
 
 
 
*A new MailStore user is created with the login name (SAM account name) of the Active Directory user.
 
*LDAP Authentication is configured for the new MailStore user. Additional information about this topic is available in section Login with Window Access Data.
 
*The MailStore user has the following privileges: Logging on to MailStore Server through MailStore Client, archiving new emails for his or her own user archive, browsing his or her archive and viewing the emails contained therein. The user does not have the privilege to delete emails from the archive.
 
 
 
The following steps are executed for all users (new and existing) during synchronization:
 
 
 
*The full name of the MailStore user is replaced with the full name of the Active Directory user.
 
*All email addresses assigned to the MailStore user are replaced with the email addresses entered in Active Directory:
 
If the user is a Microsoft Exchange user, this concerns all his or her SMTP addresses.
 
If the user is not a Microsoft Exchange user, this concerns the address entered under Email Address.
 
 
 
== Synchronizing Small Business Server Users Only ==
 
 
 
When using Microsoft's Small Business Server, Windows system users are added to MailStore's user management along with the settings that are automatically specified. In most cases, adding  Windows system users to MailStore is undesirable.
 
 
 
To limit the synchronization process to the users created with the Small Business Server Assistant, specify the organizational unit SBUsers as base DN:
 
 
 
[[File:mads_sync_03.png|center|200px]]
 
 
 
Simply add the corresponding branches to the left of the automatically recognized base DN:
 
 
 
OU=SBSUsers,OU=Users,OU=MyBusiness,DC=deepinvent,DC=local
 
 
 
== Automating the Synchronization with ADS_SYNC ==
 
 
 
To automate the synchronization, the command ads-sync can be used in MailStore's Management Shell. Information about how to use and automatically execute management shell commands is available in chapter The MailStore Management Shell.
 
 
 
ads-sync has the following parameters:
 
 
 
'''--server=<ldap-server>'''
 
Indicates the LDAP-Server (Active Directory) to be contacted
 
 
 
'''--domain=<netbiosdomain>'''
 
Indicates the NETBIOS domain name (prior to Windows 2000)
 
'''
 
--user=<username>'''
 
Indicates the user to be used in the LDAP connection
 
 
 
'''--pass=<password>'''
 
Indicates the password to be used in the LDAP connection
 
 
 
'''--allow-create'''
 
Use the allow-create switch if new users are to be created in MailStore. If this switch is not set, only the information of already existing users will be updated.
 
 
 
= Login with Windows Credentials =
 
 
 
By default, each MailStore user has a password exclusively for MailStore which the administrator can specify during creation of a new user account. In MailStore Client's Administrative Tools, the respective user can later change his or her password.
 
 
 
Alternatively, if Active Directory is available, MailStore can be configured to allow users to log on to MailStore Server through MailStore Client using their Active Directory password.
 
 
 
== Procedure for Users Created During Synchronization with Active Directory ==
 
 
 
If the MailStore users were created using Active Directory Synchronization, as described in the previous section, no further action is required. In this case, MailStore has already specified all necessary settings automatically.
 
 
 
== Procedure for Manually Created Users ==
 
 
 
If MailStore users who were created manually are to be able to log on using their Active Directory password, please proceed as follows:
 
 
 
*Configure the Active Directory Integration as described in chapter Synchronizing User Accounts with Active Directory.
 
*Verify that the names of the MailStore users match those of the corresponding Active Directory users.
 
*In the User Properties window under Authentication, select LDAP (Active Directory).
 
 
 
[[File:mads_ldapauth_01.png|center|450px]]
 
 
 
== Background: How MailStore Proceeds Internally when Using LDAP Authentication ==
 
 
 
The following section describes how MailStore proceeds during LDAP authentication. This description is addressed to users interested in technical details.
 
 
 
*The user logs on; access data is sent to MailStore Server.
 
*MailStore Server verifies that this is a user for whom LDAP-Authentication is configured.
 
*MailStore establishes a secure LDAP connection to the Active Directory Server configured in Active Directory Integration. MailStore uses a user name consisting of the Domain (NetBIOS), also specified under Active Directory Integration, and the MailStore user name (DOMAIN\user).
 
*If the connection can be opened, MailStore Server searches for the user name (sAMAccountName) under Base DN which is configured in Active Directory Integration. If the name is found, MailStore Server regards the access data as being correct.
 
*If the LDAP authentication was successful, the user is logged on to MailStore Server as usual.
 
 
 
= MailStore Client Single Sign-On =
 
 
 
For using the single sign-on functionality in Active Directory environments, MailStore Server provides an ADM template.
 
 
 
The MailStore Client ADM Template (administrative template) makes it possible to configure the MailStore Client login using the group policy editor. The ADM template is located in the Support subfolder of the MailStore Server program folder
 
 
 
Using a group policy, the ADM template can be distributed among all Windows clients in your Active Directory network who are to use the single sign-on functionality.
 
 
 
== The Group Policy Management Console ==
 
 
 
The distribution of group policies among online clients is a basic function offered by every Active Directory-based network. Setup of a group policy for single sign-on is described based on the Group Polity Management Console (GPMC). Starting with Windows Server 2007, the management console is an optional component of the server installation; the installation routine for Windows 2003 can be downloaded under http://www.mailstore.com/?gpmc.
 
 
 
== Installing the ADM Template in Active Directory ==
 
 
 
*Open the group policy management console.
 
*Right-click on the administrative folder Group Policy Objects, select ''New'' and create a new group policy object called ''MailStore SSO''.
 
*Highlight the new object and click on ''Edit''.
 
 
 
[[File:mads_gp_01.png|center|450px]]
 
 
 
 
 
*Expand User Configuration and highlight ''Administrative Templates''. Click on ''Add/Remove Templates''.
 
 
 
[[File:mads_gp_02.png|center|450px]]
 
 
 
*Click on ''Add'' and select the administrative template ''MailStoreClient.adm''. It can be found in the Support subfolder of the MailStore Server program folder. Remove all policy templates that may still be listed and close the window.
 
*Expand Administrative Templates, click on ''MailStore Client'' and edit the entry ''Auto Logon''.
 
 
 
[[File:mads_gp_03.png|center|350px]]
 
 
 
*Enable the setting, check the option to Automatically log on to MailStore Server and in the field Server Name, enter the DNS name of the MailStore Server computer
 
 
 
'''Please note:''' If single sign-on does not work with these settings, please enter the IP address of MailStore Server instead of the name.
 
 
 
*Click on ''OK'' and close the group policy editor. The group policy is now configured and can be linked to the corresponding user objects. This is done using organizational units (OU).
 
 
 
[[File:mads_gp_04.png|center|450px]]
 
 
 
 
*Highlight and then right-click on the organizational unit which contains the desired user objects (DE_Viersen in the example above) and select the option Link an Existing GPO. In the dialog window Select ''GPO'', highlight the MailStore SSO policy and confirm by clicking ''OK''.
 
*The group policy does now exist and will become active the next time users log on to the Windows clients.
 
[[de:Active_Directory-Integration]]
 

Latest revision as of 15:30, 26 April 2021

In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the Active Directory of your organization.

During synchronization, user information, such as user names and email addresses, is copied from the Active Directory into MailStore Server's user database. That way, users can use their Active Directory credentials to also log on to MailStore Server and emails can be assigned to their corresponding user archives automatically, for example. No changes are made to the Active Directory itself by MailStore Server. The scope of the synchronization can be limited through filters.


Please note: MailStore Server does support neither subdomains nor domain trusts. The MailStore Server service must run as 'Local System account' and the server must be a member of the domain if you want to use 'Integrated Windows authentication'.

Accessing Directory Service Integration

  • Log on to MailStore Client as a MailStore Server administrator.
  • Click on Administrative Tools > Users and Archives > Directory Services.
  • In the Integration section, change the directory service type to Active Directory.
Mads sync 01.png


Connection to Active Directory

For synchronization MailStore Server requires information on how to connect to the Active Directory.

  • Server (optional)
    DNS name or IP address of an Active Directory domain controller. If the MailStore Server machine is a member of the Active Directory, this setting is detected automatically.
  • Protocol
    The protocol used to communicate with an Active Directory domain controller.
    • LDAP
      The default protocol when accessing an Active Directory. Though parts of the connection is unencrypted the real payload is encrypted.
    • LDAPS
      Additionally SSL secured version. Be aware that a properly configured certificate infrastructure is required, in which the MailStore Server computer must classify the domain controller's certificate as trustworthy.
  • Base-DN (optional)
    Base DN of your Active Directory. Often the Base DN can be derived from the Active Directory domain name. For example, if the Active Directory domain name is company.local the Base DN usually is dc=company,dc=local. The Base DN can also be selected by clicking the button left of the text field if access to an Active Directory domain controller is available. If the MailStore Server machine is a member of the Active Directory, this setting is detected automatically.
  • Authentication
    Define how the MailStore Server service should identify itself to the Active Directory:

    • Standard Authentication
      If MailStore Server is not installed directly on an Active Directory domain controller, using standard authentication is required. In this case, fill out the User Name and Password fields; enter the user name in UPN notation, e.g. [email protected]
    • Windows Authentication
      If MailStore Server is installed directly on an Active Directory domain controller, the MailStore Server service already has the necessary privileges to authenticate against Active Directory using Windows authentication.

User Database Synchronization

After configuring the connection settings as described above, you can specify filter criteria for the Active Directory synchronization in this section.

  • Synchronize Microsoft Exchange users only
    Only user accounts with email addresses configured in Active Directory will be taken into account by the synchronization. Clear this checkbox only if all Active Directory users should be created as MailStore Server users as well.
    • Synchronize users visible in address lists only
      Only Active Directory user accounts will be taken into account by the synchronization whose Exchange mailboxes are not hidden from Exchange address lists. This option can only be enabled if the option Synchronize Microsoft Exchange users only is enabled, too.
  • Synchronize enabled users only
    Only user accounts enabled in Active Directory will be taken into account by the synchronization. Deactivating this option may be useful if certain Exchange mailboxes should be archived whose Active Directory user accounts are deactivated by default.
  • Sync only these groups
    Choose one or several Active Directory security groups if you only want their members to be created as MailStore users. That way it's possible to exclude certain Active Directory accounts from being synchronized to MailStore, e.g. system accounts.
    Note: When the MailStore Server Computer is member of a domain, that is not the domain where users are synchronized from, Universal Groups may not be selectable. An error with the errorcode 1355 might be shown then.
  • User Name Format
    Choose which naming scheme MailStore user names should follow:
    • SAM Account Name
      The Pre-Windows 2000 user name.
    • User Principal Name (UPN)
      The Windows user name including domain, e.g. [email protected]
    • User Principal Name (UPN) Local Part
      The Windows user name excluding domain, e.g. jane.doe

Authentication

  • Method
    Here you can choose how users that have been synchronized from Active Directory will be authenticated.
    • Kerberos / NTLM
      With this option, users can log on directly to MailStore Server with their Active Directory credentials. The provided credentials are relayed by MailStore Server to Active Directory for verification.
    • AD FS (OpenID Connect)
      If your company employs Active Directory Federation Services (AD FS), users can also log on to MailStore Server using OpenID Connect through AD FS. For this, you have to configure your AD FS according to our setup guide and enter the following parameters in MailStore Server afterwards.
      • Discovery URI
        The URI by which the AD FS are reachable. Typically, this is the fully qualified domain name of the AD FS server followed by the path /adfs, e.g. https://adfs.example.com/adfs. The certificate used by the AD FS must be trusted.
      • Client ID
        The Client Identifier of the Application Group that has been created for MailStore Server in AD FS.
      • Redirect-URI
        The Redirect-URI that has been configured in the Application Group.
      • Always require credentials for login
        If this option is enabled, users must authenticate against AD FS everytime they log on to MailStore Server.
    Please note: When using OpenID Connect to authenticate users, accessing the archive via IMAP is not possible for technical reasons.

Options

  • Automatically delete users in MailStore Server
    Here you can choose whether users that have been deleted in the Active Directory will also be deleted in the MailStore Server user database by the synchronization. Users will also be deleted if they fall out of scope of the configured settings.
    Only MailStore Server users that have their authentication method set to Directory Services will be deleted.
    If the archive folder of such a user already contains archived emails, only the user entry but not its archive folder will be deleted in MailStore Server.

Assigning Default Privileges

By default, users that have been synchronized to MailStore Server from an Active Directory have the privilege to log on to MailStore Server as well as read access to their own user archive.
You can configure those default privileges before synchronization, for example, to assign the privilege Archive E-mail to all new users. To do this, click on Default Privileges...
More information on managing user privileges and their effects is available in the chapter Users, Folders and Settings which also has details on editing existing privileges.

Running Directory Services Synchronization

Click on Test Settings to check synchronization configuration and the results returned by the Active Directory without any changes to the MailStore Server user database being actually committed.

To finally run the synchronization, click on Synchronize now. The results are shown with any changes committed to the MailStore Server user database.

Mads sync 02.png


Login with Active Directory Credentials

After synchronization MailStore users can log on to MailStore Server with their Active Directory username and Active Directory password.

To use Single-Sign-On (SSO) with Windows-Authentication, the client and the MailStore Server computer must be members of the same domain and the client must be authenticated at the domain controller. Also, additional configuration steps are necessary as described in the articles MailStore Client Deployment and MailStore Outlook Add-in Deployment.