Concepts and Planning << >>

User Authentication

Before users or processes can access Microsoft Exchange Server, they must log on to Windows NT Server by supplying a unique user name and password. The system must validate or authenticate this logon information. When a user logs on, Windows NT Server identifies a security context. The security context determines the user's access to system services.

Note   You can configure Microsoft Exchange Server to support anonymous access for some Internet protocols, such as the Network News Transfer Protocol (NNTP), Internet Message Access Protocol, Version 4rev1 (IMAP4rev1), and Lightweight Directory Access Protocol (LDAP), so that nonvalidated users can access information stored in Microsoft Exchange Server. Users connecting to Microsoft Exchange Server anonymously don't need a Windows NT user account to access information. For example, if you want certain public folders to be accessible to IMAP4 users outside of your organization, you can enable anonymous connections.

A user needs to log on only once to gain access to Microsoft Exchange Server. This is in contrast to other security models that require separate passwords for different resources, such as printers, file servers, or e-mail.

Each Microsoft Exchange Server computer in a site is also a member of a Windows NT domain. To enable users to access the entire network, you can establish trust relationships between domains. Domains with trust relationships share account information and validate rights and permissions. In a trust relationship, one domain (the trusting domain) trusts the other (the trusted domain). Users from the trusted domain can be given rights and permissions to objects in the trusting domain as if they were members of the trusting domain.

When a user logs on to a domain where a trust relationship is set up, the account is verified by pass-through authentication. Pass-through authentication makes it possible for users to log on to domains in which they have no account. In other words, a user can have an account on only one domain yet still access the entire network including all its trusted domains.

User Accounts

All Microsoft Exchange Server mailboxes are associated with one or more Windows NT user accounts. For a user to log on to a Microsoft Exchange Server computer, the domain where the server is located must have a trust relationship with the domain that has the user account. For example, a user can view the contents of a public folder on a Microsoft Exchange Server computer in another domain if that domain contains the user account or has a trust relationship with another domain that contains the account.

Windows NT user accounts are stored and maintained on the primary domain controller of a domain. You can create two types of user accounts: global and local. Most accounts are global user accounts.


You can organize user accounts into groups, which makes granting permissions easier. You only have to perform one action to give permissions to a whole group of users. For example, if a group of administrative assistants needs to access the same mailbox, you can define a group called Admin Assistants and create a mailbox called Assistants. You can then give the Admin Assistants group permission to use the Assistants mailbox so that every time users in the group logged on to Windows NT Server, they could access their mailbox.

Windows NT provides built-in global and local groups, and the ability to customize them. Adding a user to a predefined group provides the user with all the access rights of that group. Changing the access rights of the group automatically changes the rights of all group members. You should use built-in groups whenever possible. For more information about Windows NT groups, see your Windows NT Server documentation.

Service Accounts

Microsoft Exchange Server includes a variety of services, such as the information store and the message transfer agent (MTA). Before you install Microsoft Exchange Server on the first server in a site, you need to create a Windows NT user account that Microsoft Exchange Server will use to start and run these services. This is called a service account. Microsoft Exchange Server computers use the service account to validate other servers in the site and give them access to Microsoft Exchange Server services. For example, for an MTA on one Microsoft Exchange Server computer to interact with another MTA, Windows NT Server must verify the security context of the requesting MTA.

A Microsoft Exchange Server computer doesn't need to be in the same domain as the service account, provided that the domain has a trust relationship with the domain containing the service account. However, all Microsoft Exchange Server computers in the same site must use the same service account to communicate with each other.