Difference between revisions of "Active Directory Integration"
| [checked revision] | [checked revision] |
Ltalaschus (talk | contribs) |
|||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 5: | Line 5: | ||
The MailStore Server service must run as 'Local System account' and the server must be a member of the domain if you want to use 'Integrated Windows authentication'.</p> | The MailStore Server service must run as 'Local System account' and the server must be a member of the domain if you want to use 'Integrated Windows authentication'.</p> | ||
| − | == Accessing | + | == Accessing Directory Service Integration == |
{{Directory Services Accessing Configuration|Active Directory|mads_sync_01.png}} | {{Directory Services Accessing Configuration|Active Directory|mads_sync_01.png}} | ||
| Line 24: | Line 24: | ||
*'''Synchronize Microsoft Exchange users only'''<br/>Only user accounts with email addresses configured in Active Directory will be taken into account by the synchronization. Clear this checkbox only if all Active Directory users should be created as MailStore Server users as well. | *'''Synchronize Microsoft Exchange users only'''<br/>Only user accounts with email addresses configured in Active Directory will be taken into account by the synchronization. Clear this checkbox only if all Active Directory users should be created as MailStore Server users as well. | ||
| + | **'''Synchronize users visible in address lists only'''<br/>Only Active Directory user accounts will be taken into account by the synchronization whose Exchange mailboxes are not hidden from Exchange address lists. This option can only be enabled if the option ''Synchronize Microsoft Exchange users only'' is enabled, too. | ||
*'''Synchronize enabled users only'''<br/>Only user accounts enabled in Active Directory will be taken into account by the synchronization. Deactivating this option may be useful if certain Exchange mailboxes should be archived whose Active Directory user accounts are deactivated by default. | *'''Synchronize enabled users only'''<br/>Only user accounts enabled in Active Directory will be taken into account by the synchronization. Deactivating this option may be useful if certain Exchange mailboxes should be archived whose Active Directory user accounts are deactivated by default. | ||
| − | |||
*'''Sync only these groups'''<br/>Choose one or several Active Directory security groups if you only want their members to be created as MailStore users. That way it's possible to exclude certain Active Directory accounts from being synchronized to MailStore, e.g. system accounts. | *'''Sync only these groups'''<br/>Choose one or several Active Directory security groups if you only want their members to be created as MailStore users. That way it's possible to exclude certain Active Directory accounts from being synchronized to MailStore, e.g. system accounts. | ||
| + | *: <div class="msnote">'''Note:''' When the MailStore Server Computer is member of a domain, that is not the domain where users are synchronized from, ''Universal Groups'' may not be selectable. An error with the errorcode 1355 might be shown then.</div> | ||
* '''User Name Format'''<br/>Choose which naming scheme MailStore user names should follow: | * '''User Name Format'''<br/>Choose which naming scheme MailStore user names should follow: | ||
** ''SAM Account Name''<br/>The Pre-Windows 2000 user name. | ** ''SAM Account Name''<br/>The Pre-Windows 2000 user name. | ||
Revision as of 17:22, 10 December 2019
In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the Active Directory of your organization.
During synchronization, user information, such as user names and email addresses, is copied from the Active Directory into MailStore Server's user database. That way, users can use their Active Directory credentials to also log on to MailStore Server and emails can be assigned to their corresponding user archives automatically, for example. No changes are made to the Active Directory itself by MailStore Server. The scope of the synchronization can be limited through filters.
Please note: MailStore Server does support neither subdomains nor domain trusts. The MailStore Server service must run as 'Local System account' and the server must be a member of the domain if you want to use 'Integrated Windows authentication'.
Accessing Directory Service Integration
- Log on to MailStore Client as a MailStore Server administrator.
- Click on Administrative Tools > Users and Archives > Directory Services.
- In the Integration section, change the directory service type to Active Directory.
Connection to Active Directory
For synchronization MailStore Server requires information on how to connect to the Active Directory.
- Server (optional)
DNS name or IP address of an Active Directory domain controller. If the MailStore Server machine is a member of the Active Directory, this setting is detected automatically. - Protocol
The protocol used to communicate with an Active Directory domain controller.- LDAP
The default protocol when accessing an Active Directory. Though parts of the connection is unencrypted the real payload is encrypted. - LDAPS
Additionally SSL secured version. Be aware that a properly configured certificate infrastructure is required, in which the MailStore Server computer must classify the domain controller's certificate as trustworthy.
- LDAP
- Base-DN (optional)
Base DN of your Active Directory. Often the Base DN can be derived from the Active Directory domain name. For example, if the Active Directory domain name is company.local the Base DN usually is dc=company,dc=local. The Base DN can also be selected by clicking the button left of the text field if access to an Active Directory domain controller is available. If the MailStore Server machine is a member of the Active Directory, this setting is detected automatically. - Authentication
Define how the MailStore Server service should identify itself to the Active Directory:
- Standard Authentication
If MailStore Server is not installed directly on an Active Directory domain controller, using standard authentication is required. In this case, fill out the User Name and Password fields; enter the user name in UPN notation, e.g. [email protected] - Windows Authentication
If MailStore Server is installed directly on an Active Directory domain controller, the MailStore Server service already has the necessary privileges to authenticate against Active Directory using Windows authentication.
- Standard Authentication
User Database Synchronization
After configuring the connection settings as described above, you can specify filter criteria for the Active Directory synchronization in this section.
- Synchronize Microsoft Exchange users only
Only user accounts with email addresses configured in Active Directory will be taken into account by the synchronization. Clear this checkbox only if all Active Directory users should be created as MailStore Server users as well.- Synchronize users visible in address lists only
Only Active Directory user accounts will be taken into account by the synchronization whose Exchange mailboxes are not hidden from Exchange address lists. This option can only be enabled if the option Synchronize Microsoft Exchange users only is enabled, too.
- Synchronize users visible in address lists only
- Synchronize enabled users only
Only user accounts enabled in Active Directory will be taken into account by the synchronization. Deactivating this option may be useful if certain Exchange mailboxes should be archived whose Active Directory user accounts are deactivated by default. - Sync only these groups
Choose one or several Active Directory security groups if you only want their members to be created as MailStore users. That way it's possible to exclude certain Active Directory accounts from being synchronized to MailStore, e.g. system accounts.- Note: When the MailStore Server Computer is member of a domain, that is not the domain where users are synchronized from, Universal Groups may not be selectable. An error with the errorcode 1355 might be shown then.
- User Name Format
Choose which naming scheme MailStore user names should follow:- SAM Account Name
The Pre-Windows 2000 user name. - User Principal Name (UPN)
The Windows user name including domain, e.g. [email protected] - User Principal Name (UPN) Local Part
The Windows user name excluding domain, e.g. jane.doe
- SAM Account Name
Options
- Automatically delete users in MailStore Server
Here you can choose whether users that have been deleted in the Active Directory will also be deleted in the MailStore Server user database by the synchronization. Users will also be deleted if they fall out of scope of the configured settings.
Only MailStore Server users that have their authentication method set to Directory Services will be deleted.
If the archive folder of such a user already contains archived emails, only the user entry but not its archive folder will be deleted in MailStore Server.
Assigning Default Privileges
By default, users that have been synchronized to MailStore Server from an Active Directory have the privilege to log on to MailStore Server as well as read access to their own user archive.
You can configure those default privileges before synchronization, for example, to assign the privilege Archive E-mail to all new users. To do this, click on Default Privileges...
More information on managing user privileges and their effects is available in the chapter Users, Folders and Settings which also has details on editing existing privileges.
Running Directory Services Synchronization
Click on Test Settings to check synchronization configuration and the results returned by the Active Directory without any changes to the MailStore Server user database being actually committed.
To finally run the synchronization, click on Synchronize now. The results are shown with any changes committed to the MailStore Server user database.
Login with Active Directory Credentials
After synchronization MailStore users can log on to MailStore Server with their Active Directory username and Active Directory password.
To use Windows-Authentication it is a requirement that the client and the MailStore Server computer are member of the same domain and that the client is authenticated at the domain controller.
To use Single-Sing-On additional configuration steps are necessary which are described in the articles MailStore Client Deployment and MailStore Outlook Add-in Deployment.
