logo
Welcome. Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
Cimmaron  
#1 Posted : Monday, November 28, 2011 3:44:27 PM(UTC)
Cimmaron
Rank: Administration

Posts: 335

There are three methods available for setting up Cimmaron user authentication in Exchange.
  1. Specify each user’s Active Directory credentials in the Cimmaron User Manager.

    1. Pros

      1. Access to EWS (Exchange Web Services) can be restricted on a per user level (see Set-OrganizationConfig and Set-CASMailbox cmdlets).

    2. Cons

      1. Exposes users directory credentials since passwords have to be stored with reversible encryption in order to facilitate logins. While same policies and procedures are implemented that are used for guarding SSN’s or credit card numbers, those values at some point have to be read and decrypted in order to be sent to Exchange.
      2. Storing password in any outside system violates non-repudiation principle of security and as such has legal consequences.

         
  2. Create an integration account with a strong password and give it mailbox access rights.
     
    1. Pros

      1. Low security account can be used with no rights outside of EWS access.
      2. In case of security breach, only one account has to be disabled or invalidated.
      3. No elevation of privilege is possible.
      4. Password sync required only for one user.

    2. Cons

      1. If credentials are compromised all mailboxes are potentially accessible to the extent that rights are granted to the integration account.

    Tip:  We use this powershell script to give rights to exchange integration account in our testing environment:

     Add-MailboxPermission -Identity "testuser@contoso.com" -User 'CONTOSO\Exchange.Integration' -AccessRights 'FullAccess'


  3. Create integration account, set up PKI certificate for that user and map it to the integration account. Give Exchange integration service the certificate and mark it as non-exportable.
     
    1. Pros

      1. No password is disclosed.
      2. Login is limited from a set number of machine(s) that have the certificate installed.
         
    2. Cons

      1. Cost of public certificate if private infrastructure is not available.
      2. Certificate renewal, expiration and revocation.
      3. Cost.

Note: Option 2 is best compromise between security and convenience. Option 1 should not be used unless there is a compelling reason to do so (kiosk workers, i.e.). All set up documentation is based on option 2 as the default option.
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.