Logon Security

Microsoft Exchange Server security starts with logon security. To use Microsoft Exchange server a user must first logon to a MAPI profile that has Exchange server in its collection of services. Programmatically logon is achieved via MAPILogonEx function, as in the following example:

HRESULT hr;
LPMAPISESSION pSession = NULL;

// Initialize MAPI
hr = MAPIInitialize(NULL);
if (FAILED(hr)) throw -1;

// Obtain MAPI session
hr = MAPILogonEx(0,    // Handle to parent window
      "MS Exchange Settings", // Profile name
      NULL,   // Password
      MAPI_NEW_SESSION |
      MAPI_EXTENDED |
      MAPI_LOGON_UI, // Logon flags
      &pSession); // Resulting MAPI session
if (FAILED(hr)) throw -1;

// Use MAPI services...

As you can see, I provided the profile name as one of the parameters to MAPILogonEx function. The result of this call is a MAPI session. Through it you can get access to other things such as information store where messages are stored.

There are two things about Exchange logon security. First, a user must possess a logon right to a Microsoft Exchange Server. Second, a user must have enough permissions on the Mailbox object his/her profile is associated with. A logon right is one of the rights specific to Microsoft Exchange directory objects, which are protected with Windows NT security descriptors. You can use Exchange Administrator to modify users' rights. Also, you can do it programmatically as I am showing in "Modifying Access to Directory Objects" section.

To allow logon to Microsoft Exchange site make sure that a user or one of the groups he/she is a member of is listed on the site object permissions dialog (as displayed by Exchange Administrator) with Logon Rights. This access is associated with the View Only Admin. role. To allow usage of the mailbox add his/her account as "User" on Mailbox Permissions dialog.

I am describing Exchange access rights and roles in "Directory Objects Access Control" section.

[ Contents | Home ]