Chat now with support
Chat with Support

Identity Manager 8.0.2 - Administration Guide for Connecting to Microsoft Exchange

Managing Microsoft Exchange Environments Setting up Microsoft Exchange Synchronization Base Data for Managing Microsoft Exchange Microsoft Exchange Structure Mailboxes E-Mail Users and E-Mail Contacts Mail-enabled Distribution Groups Dynamic Distribution Group Mail-Enabled Public Folder Extensions for Supporting Exchange hybrid Troubleshooting Appendix: Configuration Parameters for Managing a Microsoft Exchange Environment Appendix: Default Project Template for Microsoft Exchange

Users and Permissions for Synchronizing with Microsoft Exchange

The following users are involved in synchronizing One Identity Manager with Microsoft Exchange.

Table 2: Users for Synchronization
User Permissions
User for accessing Microsoft Exchange You must provide a user account with the following permissions for full synchronization of Microsoft Exchange objects with the supplied One Identity Manager default configuration.
  • Member in role group "View only organization management"
  • Member in role group "Public folder management"
  • Member in role group "Recipient management"
User for creating linked mailboxes The user account is required for adding linked mailboxes. The user account requires read access in Active Directory.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited).

The user account must belong to the group "Domain Users".

The user account must have the extended access right "Log on as a service".

The user account requires access rights to the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access rights for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager.

In the default installation the One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)
User for accessing the One Identity Manager database

The default system user "Synchronization" is available to run synchronization over an application server.

Setting Up the Synchronization Server

To setup synchronization with a Microsoft Exchange environment a server has to be available that has the following software installed on it:

  • Windows operating system

    Following versions are supported:

    • Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
    • Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
  • Microsoft .NET Framework Version 4.5.2 or later

    NOTE: Microsoft .NET Framework version 4.6.0 is not supported.

    NOTE: Take the target system manufacturer's recommendations into account.
  • Windows Installer
  • Windows Management Framework 4.0

  • One Identity Manager Service, Microsoft Exchange connector
    • Install One Identity Manager components with the installation wizard.
      1. Select the option Select installation modules with existing database.
      2. Select the machine role Server | Job server | Microsoft Exchange.

IMPORTANT: The One Identity Manager Microsoft Exchange connector uses Windows PowerShell to communicate with the Microsoft Exchange server. For communication, extra configuration is required on the synchronization server and the Microsoft Exchange server. For more information, see Configuring Participating Servers for Remote Access through Windows PowerShell.

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database, are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.

NOTE: If several target system environments of the same type are synchronized under the same synchronization server, it is useful to set up a job server for each target system on performance grounds. This avoids unnecessary swapping of connection to target systems because a job server only has to process tasks of the same type (re-use of existing connections).

Use the Server Installer to install the One Identity Manager Service. This program executes the following steps.

  • Setting up a Job server.
  • Specifying machine roles and server function for the Job server.
  • Remote installation of One Identity Manager Service components corresponding to the machine roles.
  • Configures the One Identity Manager Service.
  • Starts the One Identity Manager Service.

NOTE: The program executes remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain.

To install and configure the One Identity Manager Service remotely on a server

  1. Start the program Server Installer on your administrative workstation.
  2. Enter valid data for connecting to One Identity Manager on the Database connection page and click Next.
  3. Specify on which server you want to install the One Identity Manager Service on the Server properties page.
    1. Select a job server in the Server menu.

      - OR -

      Click Add to add a new job server.

    2. Enter the following data for the Job server.
      Table 3: Job Servers Properties
      Property Description
      Server Name of the Job servers.
      Queue

      Name of queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the job queue using exactly this queue name. The queue identifier is entered in the One Identity Manager Service configuration file.

      Full server name

      Full name of the server in DNS syntax.

      Example:

      <name of server>.<fully qualified domain name>

      NOTE: Use the Advanced option to edit other Job server properties. You can use the Designer to change properties at a later date.
  4. Specify which job server roles to include in One Identity Manager on the Machine role page. Installation packages to be installed on the Job server are found depending on the selected machine role.

    Select at least the following roles:

    • Microsoft Exchange
  5. Specify the server's functions in One Identity Manager on the Server functions page. One Identity Manager processes are handled depending on the server function.

    The server's functions depend on which machine roles you have selected. You can limit the server's functionality further here.

    Select the following server functions:

    • Microsoft Exchange connector
  6. Check the One Identity Manager Service configuration on the Service settings page.

    NOTE: The initial service configuration is already predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the service, see One Identity Manager Configuration Guide.
  7. To configure remote installations, click Next.
  8. Confirm the security prompt with Yes.
  9. Select the directory with the install files on the Select installation source page.
  10. Select the file with the private key on the page Select private key file.

    NOTE: This page is only displayed when the database is encrypted.
  11. Enter the service's installation data on the Service access page.
    Table 4: Installation Data
    Data Description
    Computer Server on which to install and start the service from.

    To select a server

    • Enter the server name.

      - OR -

    • Select a entry from the list.
    Service account One Identity Manager Service user account data.

    To enter a user account for the One Identity Manager Service

    • Set the option Local system account.

      This starts the One Identity Manager Service under the account "NT AUTHORITY\SYSTEM".

      - OR -

    • Enter user account, password and password confirmation.
    Installation account Data for the administrative user account to install the service.

    To enter an administrative user account for installation

    • Enable Advanced.
    • Enable the option Current user.

      This uses the user account of the current user.

      - OR -

    • Enter user account, password and password confirmation.
  12. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  13. Click Finish on the last page of the Server Installer.

    NOTE: The is entered with the name "One Identity Manager Service" in the server's service administration.
Related Topics

Configuring Participating Servers for Remote Access through Windows PowerShell

NOTE: Run the configuration steps on the Microsoft Exchange server and the synchronization server.

To configure a server for remote access using Windows PowerShell

  1. Run Windows PowerShell with administrator credentials from the context menu Run as Administrator.
  2. Enter this command at the prompt:

    winrm quickconfig

    This command prepares for remote access usage.

  3. Enter this command at the prompt:

    Set-ExecutionPolicy RemoteSigned

    This command allows you to execute all Windows PowerShell commands (Cmdlets). The script must be signed by a trusted publishers.

  4. Enter this command at the prompt:

    Set-Item wsman:\localhost\client\trustedhosts * -Force

    This command customizes the list of trusted hosts to activate authentication.

    The value "*" allows all connections. One Identity Manager uses the server's fully qualified domain name for the connection. You can limit the value.

To test remote access through Windows PowerShell from the synchronization server to the Microsoft Exchange server (sync.)

  1. Run Windows PowerShell on the Microsoft Exchange synchronization server.
  2. Enter this command at the prompt:

    $creds = New-Object System.Management.Automation.PSCredential ("<domain>\<user>", (ConvertTo-SecureString "<password>" -AsPlainText -Force))

    - OR -

    $creds = Get-Credential

    This command finds the access data required for making the connection.

  3. Enter this command at the prompt:

    $session = New-PSSession -Configurationname Microsoft.Exchange -ConnectionUri http://<ServerName as FQDN>/powershell -Credential $creds -Authentication Kerberos

    This commands creates a remote session.

    NOTE: One Identity Manager creates a connection using the Microsoft Exchange server’s fully qualified domain name. The server name must therefore be in the list configured with trusted hosts.

  4. Enter this command at the prompt:

    Import-PsSession $session

    This command imports the remote session so that the connection can be accessed.

  5. Test the functionality with any Microsoft Exchange command. For example, enter the following command at the prompt:

    Get-Mailbox

Testing Active Directory Domain Trusts

In order to synchronize with a Microsoft Exchange system, Active Directory domain trusts must be declared in One Identity Manager. Users can access resources in other domains depending on the domain trusts.

  • Explicit trusts are loaded into Active Directory by synchronizing with One Identity Manager. Domains which are trusted by the currently synchronized domains are found.
  • To declare implicit two-way trusts between domains within an Active Directory forest in One Identity Manager, ensure that the parent domain is entered in all child domains.

To enter the parent domain

  1. Select the category Active Directory | Domains.
  2. Select the domain in the result list.
  3. Select Change master data in the task view.
  4. Enter the parent domain.
  5. Save the changes.

    Implicit trusts are created automatically.

To test trusted domains

  1. Select the category Active Directory | Domains.
  2. Select the domain in the result list.
  3. Select Specify trust relationships in the task view.

    This shows domains which trust the selected domain.

For more detailed information, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Related Documents