Exchange Security Settings

The synchronization between the Exchange server and the Totalview server is based on having a query user with access to the Exchange users’ calendar folder. The synchronization module logs on to the Exchange server using the query user, and uses WebDAV messages or EWS (Exchange Web Services) to query, create, update and delete appointments for the Exchange users.

This document describes how to create the query and how to test the query user and the query user access to other user’s calendar folder.

The calendar synchronization runs as a service, and for security reasons we recommend that the Totalview Exchange synchronization service uses the service credentials when connecting to the Exchange server. See the 6. Configuration of the Exchange connector service section for more details.

The synchronization between Exchange and Totalview server is designed to be able to handle TLS 1.0. If TLS 1.2 is needed then follow this guide.

N.B. When connecting to Exchange Online services (Office 365) the service cannot use the service credentials to connect to the Exchange Online server.

Exchange 2003 Query User

The query user is created with rights to query, create, update and delete appointments for users on the Exchange server.

The steps involved in creating the query user are:

  • Create the query user in Active Directory and create a mailbox for the query user
  • Assign Receive As Exchange user rights to the query user
  • Initialize the query user

Create the Totalview query user with an Exchange Mailbox

Create the account and mailbox for the query user to be used when the Exchange synchronization connects to the Exchange server.

Log on the Exchange Server with Administrator rights.

  1. Start Active Directory Users and Computers
  2. Create new user. (Right click and select New User)
  3. Write username etc. Select Next
  4. Set password and select User cannot change password and Password never expires. Select Next

  5. Select Create an Exchange mailbox. Select Next
  6. Verify that the information is ok. Select Finish

The query user is now created in the Active Directory and a mailbox is attached to the query user in the Exchange server.

The query user now has rights to connect to the Exchange server and to query its own calendar folder. You can test this by using the WebDAV message test tool described in section 5. Testing the query user. To be able to connect to the Exchange server with the query user, you first have to initialize the user as described in section 2.3 Initialize the Totalview Exchange user

Add the Exchange User Rights for the Totalview Query User

The query user must be able to access other users’ calendar folder to be able to query, create, update and delete appointments not belonging to the query user itself. To be able to do this, the query user must be granted extended Exchange user rights.

 

The query user has maximum rights to all users’ mailboxes, and we recommend that the query user and password are only to be used in the installation process. The query user’s ONLY purpose should be to start the synchronization service as described in section 6. Configuration of the Exchange connector service.

Log on the Exchange server with Administrator rights.

  1. Start System Manager
  2. Browse to Mailbox Store (EXCHSRV). Right click and select Properties

  3. Select the Security tab and select Add.
  4. Write the username (tv3query) and select Check Names
  5. Select OK
  6. Scroll down and verify that the user as a minimum has Allow in Receive As. Select OK

The query user has now been granted access rights to other users calendars.

It might take a few minutes for the extended user rights take effect and you can use the query user to query other users calendars.
The extended user rights are set on the mailbox store and the query user will therefore also have access to new users added to the Exchange server.

Initialize the Totalview Exchange user

The query user must be initialized before it can be used to query information from the Exchange server. The query user is initialized the first time the query user logs onto the Exchange account.

  1. Start Internet Explorer
  2. Enter the URL for Outlook Web Access, e.g. http://mail.firm.com/exchange.
  3. Log in using the query user and password.
  4. If the Exchange folders are displayed the query user is created successfully.

Exchange 2007/2010/2013 Query User

The query user is created with rights to query, create, update and delete appointments for users on the Exchange server.

The steps involved in creating the query user are:

  • Create the query user in Active Directory.
  • Create a mailbox for the query user on the Exchange server.
  • Assign Receive As Exchange user rights to the query user.
  • Initialize the query user.

Create the Totalview Query User in Active Directory

Log on the Active Directory Server with administrator rights.

  1. Start Active Directory Users and Computers
  2. Create new user. (Right click and select New User)
  3. Write username etc. Select Next
  4. Set password and select User cannot change password and Password never expires. Select Next
  5. Verify that the information is ok. Select Finish

The query user is now created in the Active Directory and the next step is to associate a mailbox to the query user.

Create a Mailbox for the Query User Exchange 2007/2010

Create the mailbox for the query user to be used when the Exchange synchronization connects to the Exchange server.

  1. Log on the Exchange Server with Administrator rights
  2. Start Exchange Management Console
  3. Create a new mailbox. (Right click and select New Mailbox)
  4. Select User Mailbox. Select Next
  5. Select Existing users, select Add and select the query user created in section 3.1. Select OK and select Next
  6. Browse for the Mailbox database. Select Next
  7. Verify the information and select New

The query user is now created with a mailbox.

 

The query user now has rights to connect to the Exchange server and to query its own calendar folder. You can test this by using either the WebDAV or the EWS message test tool described in section 5. Testing the query user, depending on the type of Exchange connector (WebDAV, EWS or Exchange Online). To be able to connect to the Exchange server with the query user you first have to initialize the query user as described in section 3.6 Initialize the query user

Create a Mailbox for the Query User Exchange 2013

Create the mailbox for the query user to be used when the Exchange synchronization connects to the Exchange server.

  1. Log on the Exchange Admin Center with administrator rights
  2. Select New -> User mailbox
  3. Select the Browse… button to find the query user created in section 3.1 Select Ok. Verify the information and select Save.

The query user is now created with a mailbox.

Assign Exchange User Rights to the Query User (Exchange 2007 WebDAV)

The query user must be able to access other users calendar folder to be able to query, create, update and delete appointments not belonging to the query user itself. To be able to do this, the query user must be granted extended Exchange user rights.

The query user has rights to all users mailboxes, and we recommend that the query user and password are only to be used in the installation process. The query users ONLY purpose should be to start the synchronization service as described in section 6. Configuration of the Exchange connector service.

Log on the Exchange server with Administrator rights.

  1. Start the Exchange Management Shell
  2. Execute the following command
    Add-ADPermission -Identity “First Storage Group” -User <domain>\<Totalview query user> -ExtendedRights Receive-As

    where the <domain>\<Totalview query user> is the user created in section 3.1.

The query user has now been granted access rights to other users calendars.

It might take a few minutes for the extended user rights to take effect and you can use the query user to query other users calendars.

Assign Exchange User Rights to the Query User (Exchange 2007/2010/2013 EWS)

The query user must be able to access other users calendar folder to be able to query, create, update and delete appointments not belonging to the query user itself. To be able to do this, the query user must be granted extended Exchange user rights.

 

The query user has rights to all users mailboxes, and we recommend that the query user and password are only to be used in the installation process. The query users ONLY purpose should be to start the synchronization service as described in section 6. Configuration of the Exchange connector service.

Log on the Exchange server with Administrator rights.

  1. Start the Exchange Management Shell
  2. First Execute the following command
  3. Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity “domain\Totalview Query User” | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

    and secondly

    Get-MailboxDatabase | ForEach-object {Add-ADPermission -Identity $_.DistinguishedName -User “domain>\<Totalview query user” -ExtendedRights ms-Exch-EPI-May-Impersonate}

    If it is an Exchange 2010 or 2013 query user, you will have to run a third script to assign the appropriate  impersonation to the query user.

    New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User:domain\Totalview query user

     

    where the <domain>\<Totalview query user> is the user created in section 3.1.

The query user has now been granted access rights to other users calendars.

 

It might take a few minutes for the extended user rights to take effect and you can use the query user to query other users calendars.

Initialize the Query User

The query user must be initialized before it can be used to query information from the Exchange server. The query user is initialized the first time the query user logs onto the Exchange account.

  1. Start Internet Explorer
  2. Enter the URL for Outlook Web Access, e.g. http://mail.firm.com/exchange.
  3. Log in using the query user and password.
  4. If the Exchange folders are displayed the query user is created successfully.

Exchange Online/Office 365 Query User

Exchange Online is part of the Office 365 suite of products.

Office 365 supports two authentication mechanisms. Basic and OAuth. Basic authentication is deprecated and will be discontinued in October 2020.

Basic Authentication (Deprecated)

The query user is created with rights to query, create, update and delete appointments for users on the Exchange Online server.

The steps involved in creating the query user are:

  • Create the query user in Office 365 Admin module.
  • Assign ApplicationImpersonation Exchange user rights to the query user.
  • Initialize the query user.

Create the Totalview Query User in Office 365 Admin Module

Log on to Office 365 with Administrator user.

  1. Create new user.
  2. Write first name, user name etc. Select Next

  3. Set User Location and leave the other settings as default. Select Next
  4. The license to the query user. The user must as minimum have assigned Office Web Apps, SharePoint Online and Exchange Online. Select Next
  5. Create the user and note the initial password.
  6. Log into Office 365 with the query user and the initial password. Change the password and select the Outlook link. Select language and start Outlook for the first time to active the query user’s mailbox.

 

The query user now has rights to connect to the Exchange server and to query its own calendar folder. You can test this by using either the MEWS message test tool described in Section 5. Testing the query user. For the query user to be able to access other users calendars, the query user must be granted ApplicationImpersonation rights as described in the next section.
On Exchange online, no user password can be left unchanged for a period longer than 3 months. This requires that the query user password is changed every 3 months.
The password is changed by logging in to Office 365 with the query user and entering a new password. After changing the password, the new password must be entered in TotalviewAdmin.

Assign ApplicationImpersonation User Rights to the Query User

The query user must be able to access other user’s calendar folder to be able to query, create, update and delete appointments not belonging to the query user itself. To be able to do this, the query user must be granted ApplicationImpersonation user rights.

  1. Connect to Exchange Online by using Remote Windows PowershellTo configure impersonation in Exchange Online, you need to be able to run a Windows PowerShell script against your Exchange Online environment. You also need to have permission to run the New-ManagementRoleAssignment cmdlet. A Global Administrator as default has rights to run this cmdlet.
  2. Start Windows Powershell
  3. Execute the following command to start a remote Powershell connection to Exchange Online.

    $LiveCred = Get-Credential

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

  4. Log on using a Global Administrator username and password.
    If successfully logged in the Powershell is ready to run scripts on the Exchange Online server.
  5. Execute the following command to import cmdlets from Exchange Online
    Import-PSSession $Session
  6. Add ApplicationImpersonation right the the Totalview query user.
    New-ManagementRoleAssignment –Name “Impersonation-Totalview” –Role “ApplicationImpersonation” –User user@domain.onmicrosoft.com

    where the user@domain.onmicrosoft.com is the user created in section 4.1.

    The query user has now been granted access rights to other user’s calendars.

Testing the Query User

After creating the query user, the query user’s access to Exchange Online can be tested using the Exchange MEWS Tester tool located in the C:\Program Files (x86)\formula.fo\Totalview3\InstallFiles\ExchangeEWS directory.

Enter the query user’s username and password and click the Connect button. If successfully connected the “Connected to Exchange using Managed EWS” message is returned.

The query user’s access to other users’ calendar folder can be tested by entering the username in the User id field and selecting Get Appointments.

If the query user has access to the user’s calendar the appointments belonging to the user are returned. Otherwise an exception is returned.

OAuth Authentication

Follow instructions on https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application to register application in Azure Active Directory. Only steps regarding “Application permissions” are relevant – not “Delegated permissions”.

After completing the steps you should have the following information:

  • TenantId
  • AppId (ClientId)
  • Client Secret

These should then be used as input to configuring Totalview Admin as described on Exchange Parameters.

Testing the Query User

After creating the query user and granting the query user the extended Exchange user rights, the query user can be tested using the Outlook Web Access and/or the WebDAV/EWS message test tool.

Section 4.3 describes how to localize the various information to be used such as the default SMTP for the users, the fully qualified domain name (FQDN), NetBIOS domain, etc.

Testing the Query User Using Outlook Web Access

When testing using Outlook Web Access we test that the query user is created and that the query user has access rights to other users calendars.

Log on to Outlook Web Access Using the Query User

Start Internet Explorer and enter the address for Outlook Web Access and log into the account of the query user, e.g. http://localhost/exchange.

You can force Outlook Web Access to log into the query user by using the query users default SMTP address, e.g. http://localhost/exchange/tv3query.

If the Exchange folders are displayed the query user is created successfully.

Log on to Another User with the Query Users Credentials

Start Internet Explorer and force Outlook Web Access to log into another user by using the default SMTP address.

Log in by using the query users username and password. If the Exchange folders are displayed the query user has access to the other user.

The WebDAV Message Test Tool

After creating the query user, the WebDAV message test tool can be used to verify the query users access to the Exchange server and that the WebDAV messages are handled properly.

The WebDAV message test tool is located in the /InstallFiles folder.

The testing is divided into 3 parts. Testing the validity of the URI, testing the query user and testing the query users access to other users calendar folder.

The test tool must be copied to the local machine before the program is executed.

Testing the URI

Enter the URI for the Exchange server and select “Test URI”.

The URI is made up of the protocol to use, the server name or IP and the exchange folder, e.g. http(s)://servername/exchange/

The protocol is http or https. The servername is the Exchange server name or IP address.

The exchange folder is where the WebDAV requests are sent. In standard installations of Exchange 2003 and Exchange 2007, the exchange folder exists as default.

If the testing fails the error result is listed. Use this information to modify the URI.

Testing the Query User

When the URI is tested valid, use the Test Authentification to test the query user.

Enter the username, password and domain name.

The domain name is the fully qualified domain name (FQDN) or the NetBIOS domain name.

Select if Form Based Authentication is enabled on the Exchange server (see section 5.4 Finding the right settings)

If the testing fails the error result is listed. Use this information to modify the settings and retry.

Testing Access to Users’ Calendar Folder

When Test Authentification is tested valid, use the Search Calendar to verify access to the Exchange users’ calendar folder.

The user is the default SMTP address for the user.

If the testing fails the error result is listed. Use this information to modify the settings and retry

The EWS Message Test Tool

After creating the query user, the EWS message test tool can be used to verify the query users access to the Exchange server and that the EWS messages are handled properly.

The EWS message test tool is located in the /InstallFiles/ExchangeEWS folder.

The testing is divided into 4 parts. Testing the validity of the URI, testing the query user, testing the impersonation and testing the query users access to other users calendar folder.

 

The test tool must be copied to the local machine before the program is executed.

Testing the URI

Enter information about URI/URL, Username, Password and Domain and click the Connect button.

The URI is made up of the protocol to use, the server name or, e.g. http(s)://servername/

The protocol is http or https. The servername is the Exchange server name or IP address.

If the testing fails the error result is listed. Use this information to modify the URI.

Testing Access to Users’ Calendar Folder

When connection is successful, use the Get appointments to verify access to the users’ calendar folder.

The user is the default SMTP address for the user.

If the testing fails the error result is listed. Use this information to modify the settings and retry

Finding the Right Settings

This section describes where you can find the various information about the settings needed to be known when testing and setting up the Exchange calendar synchronization.

Servername, Fully Qualified Domain Name (FQDN) and NetBIOS domain

This information can be found on the Exchange server machine. Log on the Exchange server and start a command prompt (Run cmd). Execute the command: set <enter>

This will list a list of machine settings and among them

  • Listed as COMPUTERNAME=
  • Listed as USERDNSDOMAIN=
  • NetBIOS domain. Listed as USERDOMAIN=

FBA Enabled

Forms Based Authentication (FBA) can be used on both Exchange 2003 and Exchange 2007. You can see if FBA is enabled when using the Outlook Web Access. If the user is presented with a Microsoft Office Web Access form when logging on to the system, then FBA is enabled.

The FBA settings can also be located on the Exchange 2003 server and the Exchange 2007 server (see below).

Locate on the Exchange 2003 server

Start Exchange System Manager

Drill down to Protocols\HTTP and select properties on Exchange Virtual Server.

Select Settings and if the “Enable Forms Based Authentication” is selected then FBA is enabled.

 

 

Locate on the Exchange 2007 server

Start Exchange Management Console.

Select Mailbox and properties on Exchange (Default Web Site).

Select Authentication and if the “User forms-based authentication” is selected then FBA is enabled.

 

SMTP Default Address

Locate on the Exchange 2003 server

  1. Start Active Directory
  2. Verify that View\Advanced Features is selected.
  3. Select properties on the Totalview 2016 Query user.
  4. Select E-mail addresses. The address listed under the SMTP is the default SMTP address to be used when querying a user.

Locate on the Exchange 2007 server

  1. Start Exchange Management Console
  2. Select Mailbox and then properties on the Totalview 2016 query user.
  3. Select E-Mail addresses. The address listed under the SMTP is the default SMTP address to be used when querying a user.

HTTP or HTTPS

Start by trying to access the Outlook Web Access by using an HTTP request. If the result states that a secure channel must be used, then you should use HTTPS requests instead.

Configuration of the Exchange Connector Service

The Exchange synchronization can log on the Exchange server using username and password supplied from the Totalview server or by using the service credentials.

The query user has maximum user rights to all users mailboxes and for security reasons we recommend that the Totalview3Exchange service runs under the query user and that the service uses the service credentials when logging on to the Exchange server.  This eliminates the need for the username and password to be saved in the Totalview database.

If the Exchange synchronization should use service credentials then the username and password must be blank in the settings for the Totalview3 Exchange connector. See the Totalview 2016 Admin guide.pdf for more information.
  1. Start Services.
  2. Verify that theTotalview3Exchange service is installed. Right-click on the Totalview3Exchange service and select Properties.
  3. Select the tab Log on and then this account and add the username and password for the query user created earlier. Click Ok

  4. Restart the Service
    Right-click on the Totalview3Exchange service and select Restart

Using TLS 1.2

To get the synchronization between Exchange and Totalview server to run TLS 1.2, some registration entries need to change on the server running the connector (e.g. Totalview Server).

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
Last edited on February 25th, 2020