Tài liệu Module 10: Configuring Internet Protocols docx

Describe the message transfer process and the security options for Internet clients using Internet Message Access Protocol version 4 IMAP4 and Post Office Protocol version 3 POP3 In addi

Contents

Overview 1

IIS Integration with Exchange 2000 2

Examining Client Connectivity and Security 7

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, BackOffice, Jscript, NetMeeting, Outlook, Windows, Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Program Manager: Steve Thues

Product Manager: Megan Camp

Instructional Designers: Bill Higgins (Volt Technical), Jennifer Morrison, Priya Santhanam

(NIIT (USA) Inc), Samantha Smith, Alan Smithee

Instructional Software Design Engineers: Scott Serna

Subject Matter Experts: Krista Anders, Megan Camp, Chris Gould (Global Logic Ltd),

Janice Howd, Elizabeth Molony, Steve Schwartz (Implement.Com), Bill Wade (Wadeware LLC)

Technical Contributors: Karim Batthish, Paul Bowden, Kevin Kaufman, Barry Steinglass,

Jeff Wilkes

Graphic Artist: Kimberly Jackson (Independent Contractor)

Editing Manager: Lynette Skinner

Editor: Kelly Baker

Production Manager: Miracle Davis

Build Manager: Julie Challenger

Production Support: Marlene Lambert (Online Training Solutions, Inc)

Test Manager: Eric Myers

Courseware Testing: Robertson Lee (Volt)

Creative Director, Media/Sim Services: David Mahlmann

Web Development Lead: Lisa Pease

CD Build Specialist: Julie Challenger

Localization Manager: Rick Terek

Operations Coordinator: John Williams

Manufacturing Support: Laura King; Kathy Hershey

Lead Product Manager, Release Management: Bo Galford

Lead Product Manager, Messaging: Dave Phillips

Group Manager, Courseware Infrastructure: David Bramble

Group Product Manager, Content Development: Dean Murray

General Manager: Robert Stewart

Instructor Notes

This module provides students with the knowledge and skills to configure virtual servers in Exchange 2000 to connect Internet clients The students will learn the different security options available for clients when connecting to a single computer running Exchange 2000 or front-end-back-end servers The students will also learn how to create and implement newsgroups and to

troubleshoot client connectivity by using Telnet

After completing this module, students will be able to:

! Describe the functionality that is provided by the integration of (Internet Information Services (IIS) with Exchange 2000

! Describe the message transfer process and the security options for Internet clients using Internet Message Access Protocol version 4 (IMAP4) and Post Office Protocol version 3 (POP3) In addition, describe how Lightweight Direct Access Protocol (LDAP) protocols is used in the message transfer process

! Describe the Kerberos authentication process

! Explain the authentication process and the different firewall configuration options when using front-end/back-end servers

! Configure a Network News Transfer Protocol (NNTP) virtual server, create and store newsgroups, and create newsfeeds

! Troubleshoot client connectivity using by Telnet

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the following materials:

! Microsoft PowerPoint file 1572a_10.ppt

Preparation Tasks

To prepare for this module, you should:

! Read all of the materials for this module

! Complete the lab

! Practice the presentation with the PPT slides, noting any animation slides

! Read the white paper, “Exchange 2000 Front-end and Back-end Topology,”

in the Additional Readings folder on the Student Materials compact disc

Presentation:

60 Minutes

Lab:

30 Minutes

Module Strategy

Use the following strategy to present this module:

! IIS and Exchange 2000 IntegrationThis topic provides an overview of the functionality and protocols provided by the integration of Exchange 2000 with IIS First, introduce the different protocols that are supported by IIS, and then the protocols that are supported when you install Exchange 2000 Stress that the protocols added by Exchange 2000 enable Internet client connectivity and accessibility to Exchange 2000 data Next, describe the function of virtual servers and the different options that you can configure when creating a virtual server Also, discuss the different reasons why you would configure more than one virtual server for a protocol Also, stress that the students use Exchange System Manager to configure virtual servers

! Examining Client Connectivity and Security This topic focuses on IMAP4 and POP3 client connectivity and security and LDAP client queries First, discuss the capabilities of each client, and then review the message transfer process for each protocol By understanding the process, the students can distinguish between the two protocols functionality and troubleshoot connectivity issues Next, explain the authentication methods and SSL encryption used a to secure POP3 and IMAP4 client connections Define LDAP and its uses, and then provide an overview of the LDAP query process when accessing Active Directory

! Examining Kerberos Authentication The topic focuses on the Kerberos authentication process The previous discussion on LDAP leads into the discussion of Kerberos authentication, because LDAP uses Kerberos First, explain which components use Kerberos authentication Next, step through the Kerboros authentication process This discussion also applies to next topic of authentication when using front-end/back-end servers

! Configuring Front-end/Back-end Servers This topic provides an overview of the features and function of front-end/back-end servers First, introduce the front-end/back-end servers and describe the benefits that they provide, including scalability and load balancing Next, describe the authentication process when using front-end

servers Next, define the term perimeter network, and then explain the ports

that must be opened when the front-end server sits within the perimeter network Also, outline the Transmission Control Protocol (TCP) ports that must be open to facilitate message transfer, encryption, and authentication Next, discuss the other firewall options and the ports that must be open when using front-end/back-end servers Lastly, discuss the options to opening ports and why you would use these alternative methods

! Configuring NNTP Services This topic focuses on the implementation and configuration of NNTP services First, you will discuss the configuration of an NNTP virtual server and creating and storing newsgroups The key point is that you can store newsgroups on a local or remote file system or a public folder Also, stress that you should store public folder newsgroups on a different public folder tree than the default tree for security purposes Next, explain the function of

a newsfeed and discuss the process of creating newsfeeds when using subordinate and master servers

! Troubleshooting Internet Client Connectivity by Using Telnet Discuss the use of Telnet, and then open a Telnet session while you explain the different commands that Telnet supports

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for course 1572A, Implementing and Managing Microsoft Exchange 2000

! Complete the labs for Module 2, “Installing Microsoft Exchange 2000,” in

course 1572A, Implementing and Managing Microsoft Exchange 2000

! Install Exchange 2000 at D:\Program Files\Exchsrvr on each server into an organization named Northwind Traders Components installed are Microsoft Exchange Messaging and Collaboration Services, Microsoft Exchange System Management Tools, and Microsoft Exchange Instant Messaging Service Have the students create a custom MMC in the C:\Documents and

Settings\All Users\Desktop that is saved as your_firstname Console The

MMC contains the Active Directory Users and Computers snap-in and the Exchange System snap-in

! Complete the labs for Module 3, “Administering Microsoft Exchange

2000,” in course 1572A, Implementing and Managing Microsoft Exchange

2000

! Create an organizational unit in Active Directory that is named

your_servernameOU for each server in the classroom Create a user account

in each server’s OU for each student The account is a member of the Domain Admins group and has a mailbox on the student’s Exchange server Create an Outlook profile for each student on their own server that opens their mailbox Delegate the full administrator role on the Northwind Traders organization

Important

Lab Results

Performing the lab in this module introduces the following configuration changes

! A new IMAP4 virtual server is created on each student machine The virtual

server is named your_servername IMAP4 Virtual Server and uses TCP port

149 and SSL port 999

! A certificate is created for the IMAP4 virtual server

! Outlook Express is configured to connect to the new IMAP4 virtual server

Overview

! IIS Integration with Exchange 2000

! Examining Client Connectivity and Security

! Kerberos Authentication

! Front-end/Back-end Server Configuration and Security

! Configuring NNTP Services

! Troubleshooting Client Connectivity Using Telnet

As more users connect to the Internet to send and receive e-mail messages, Internet client connectivity becomes an increasingly large administration issue With the integration of Internet Information Services (IIS) with Microsoft Exchange 2000, you can provide an efficient and secure environment for users running Internet clients to access Exchange 2000 data locally and remotely After completing this module, you will be able to:

! Describe the functionality that is provided by the integration of IIS with Exchange 2000

! Describe the message transfer process and the security options for Internet clients using Internet Message Access Protocol version 4 (IMAP4) and Post Office Protocol version 3 (POP3) In addition, describe how Lightweight Direct Access Protocol (LDAP) protocols is used in the message transfer process

! Describe the Kerberos authentication process

! Explain the authentication process and the different firewall configuration options when using front-end/back-end servers

! Configure a Network News Transfer Protocol (NNTP) virtual server, create and store newsgroups, and create newsfeeds

! Troubleshoot client connectivity using by Telnet

In this module, you will learn

how to implement Internet

protocols and connect

Internet clients by using

Exchange 2000 and IIS

# IIS Integration with Exchange 2000

! Default Protocols Supported by IIS

! Protocols Supported by IIS with Exchange 2000

! Virtual Server Functionality in Exchange 2000

The integration of IIS with Exchange 200 provides the Internet protocols that enable Internet clients to gain access mailbox data in Exchange 2000 This integration also provides Exchange 2000 the ability to configure virtual servers

to provide added functionality and scalability

Topic Objective

To provide an overview how

IIS is integrated with

Default Protocols Supported by IIS

IIS NNTP HTTP SMTP

Windows 2000

IIS automatically installs when you install Microsoft Windows 2000 IIS supports the following protocols that enable clients to communicate with the Internet, Exchange 2000, and local or Internet newsgroups

HTTP

Hypertext Transfer Protocol (HTTP) is the underlying protocol used by the World Wide Web Exchange 2000 supports HTTP to provide Outlook Web Access clients access to Exchange 2000 data, such as public folders, mailbox information, and directory searches

For more information on HTTP, see Request for Comments (RFCs) 1945 and 2068

SMTP

Simple Mail Transfer Protocol (SMTP) sends messages between hosts and is the default protocol used by Exchange 2000 to transfer messages within an organization and the Internet

For more information on SMTP, see RFC’s 821 and 822

To describe the default

Internet protocols that IIS

Protocols Supported by IIS with Exchange 2000

IIS NNTP HTTP POP3 IMAP4

Exchange 2000

SMTP

In addition to the three default protocols supported by IIS, there are two additional protocols supported when using Exchange 2000 Internet messaging clients that use these protocols can communicate to a server running Exchange

2000

POP3

Internet messaging clients, such as Outlook Express, use Post Office Protocol version 3 (POP3) to retrieve messages from a server With POP3, messages are stored on the server until a client requests them POP3 is a retrieve-only protocol; POP3 clients use STMP to send messages

For more information on POP3, see RFCs 1939 and 1743

IMAP4

In contrast to POP3’s simplicity, Internet Message Access Protocol version 4 (IMAP4) is a more advanced protocol that enables users to access multiple folders, search through a mailbox, and store flags on a message to indicate that the message was read As with POP3, IMAP4 is a retrieve-only protocol and uses STMP to send messages

IMAP4 is described in several RFC’s, specifically 2060

Topic Objective

To describe the additional

protocols (IMAP4 and

POP3) supported by IIS

when Exchange is installed

Lead-in

When you install Exchange

2000, IIS supports two

additional protocols

Delivery Tip

Ask students to differentiate

between POP3 and SMTP

Note

Note

Virtual Server Functionality in Exchange 2000

Exchange 2000 Server

Exchange 2000 Server

IMAP4 Virtual Server

IMAP4 Virtual Server

POP3 Virtual Server

POP3 Virtual Server

IMAP4 Client

POP3 Client

A virtual server enables you to host different protocols on the same physical server During installation, Exchange 2000 creates a default virtual server for each protocol (SMTP, NNTP, HTTP, LDAP, IMAP4, and POP3) Each virtual server has a unique network name and IP address

After installation, you can configure virtual server parameters such as authentication methods, message formats, and data transfer limits From a client perspective, there is no difference between connecting to a physical server than

to a virtual server

Virtual Server Configuration Management

You manage the virtual servers by using Exchange System Manager It is important to manage the virtual servers using Exchange System Manager because the System Attendant automatically saves virtual server configuration information to the Active Directory Active Directory then applies the

configuration information to the IIS metabase, which is a database that contains IIS configuration information

If you modify configuration settings virtual servers by using the Internet Services Manager, your changes are also saved directly to the metabase

However, when Active Directory updates the configuration information, the changes you made by using Internet Services Manager are overwritten

Multiple Virtual Servers for a Single Protocol

If you require different configurations for the same protocol on a single server running Exchange 2000, you can configure multiple virtual servers for a specific protocol Consider creating multiple virtual servers for a protocol:

! To supply different encryption methods for local and remote clients For example, remote users sending messages over the Internet may want all messages encrypted for additional security, while users on the internal intranet do not require encryption

Topic Objective

To describe the function of

virtual servers, and the

scenarios for creating,

multiple virtual servers

Lead-in

During installation,

Exchange 2000 creates

default virtual servers for

every supported protocol

It is important that students

understand that a virtual

server acts the same as a

physical server

Ask students to identify

situations where multiple

virtual servers might be

appropriate

! To segregate traffic for the same protocol over different ports For example, you have a custom application that uses POP3 to access data

in Exchange 2000 This application can use a unique TCP (Transmission Control Protocol) port associated with the POP3 through an Exchange 2000 POP3 virtual server This port can then be granted special access or priority over your intranet network

To create multiple virtual servers for a specific protocol, you will need to uniquely identify each virtual server To do this, you must specify a unique Internet Protocol (IP) port and address combination for each

# Examining Client Connectivity and Security

! IMAP4 and POP3 Client Capabilities

! POP3 Message Transfer

! IMAP4 Message Transfer

! POP3 and IMAP4 Authentication and Encryption

! LDAP Functionality

Exchange 2000 integrated with IIS provides client connectivity and security for users accessing their mailboxes using a POP3 or IMAP4 client While POP3 provides a simple message transfer process; IMAP4 provides more

functionality to the user; as a result, the transfer process is more advanced It is important to understand the message transfer process so that you can

troubleshoot client connectivity issues

LDAP provides server and client connectivity to Active Directory, which enables user authentication and directory lookups Most Internet mail clients, such as Outlook Express, include an LDAP client

Topic Objective

To provide an overview of

IMAP4, POP3, and LDAP

client connectivity and

IMAP4 and POP3 Client Capabilities

Exchange 2000 Server

Exchange 2000 Server

VirtualServerNNTP

VirtualServerNNTP

Virtual Server POP3

Virtual Server POP3

Virtual Server IMAP4

Virtual Server IMAP4

POP3 and IMAP4 protocols enable Internet messaging clients, such as Outlook Express, to communicate with servers running Exchange 2000 POP3 and IMAP4 clients are a retrieve-only protocol; but they differ in their capabilities

POP3 Capabilities

The POP3 protocol is simple protocol with a limited command set With POP3, you can list, download, and delete messages All other processing of messages, for example, organizing your messages into folders, is done on the client by the client application

IMAP4 Capabilities

The IMAP4 is a more complex protocol with a more advanced command set IMAP4 enables you to store and manage your messages on the server, as opposed to downloading and managing them on the client

IMAP4 enables you to list, preview, download, flag and organize your messages on the server You can also download an entire message, or a selected portion of a message, such as an attachment IMAP4 supports commands to create, delete, and rename folders on the server You can also move messages from folder to folder and preview the contents of messages prior to

downloading

Because the IMAP4 protocol enables you to manage your messages without removing them from the server, it is superior to POP3 in situations where the same e-mail account may be accessed from different computers, or in situations where more than one user shares the management of an e-mail account

Topic Objective

To describe the functionality

of POP3 and IMAP4 clients

Lead-in

IMAP4 and POP3 clients

can connect to virtual

servers and front

end/back-end servers running

Exchange 2000

POP3 Message Transfer

POP3

Established Connection (110) Greeting

Quit Response(s)

Command(s) Listening

Port 110

Listening Port 110

Signing Off

Internet messaging clients, such as Outlook Express, use the POP3 protocol to retrieve messages from a server running Exchange 2000 POP3 communicates with a server by using TCP port 110 and sends simple text commands

POP3 Client Session

The following steps outline a typical POP3 session:

1 The POP3 client opens a connection to the POP3 server over TCP port 110

2 The POP3 server sends a greeting

The session enters the authorization state In this state, the client must identify itself to the POP3 server

3 The client authenticates with the server by sending the USER and PASS

commands

The server reserves resources to service the connection, and then the session enters the transaction state In this state, the client requests actions on the part of the server The server sends the information requested to the client

For example, the client requests the message using the RETR message number command and deletes using the DELE message number command

4 When the client has completed the transaction, it issues the Quit command

The session enters the update state In this state, the server releases any resources acquired during the transaction state

5 The server sends a closing statement

The TCP connection closes

Topic Objective

To describe a POP3

message transfer session

Lead-in

POP3 uses TCP port 110

and simple text commands

to transfer messages

POP3 Client Commands

POP3 commands are simple text commands These commands include:

Command Response from the server

USER username Responds with +OK

PASS password Responds with a notice of a successful log on If the password is

incorrect, the server rejects the session and the user needs to

resend the USER username command

DELE message

number

Deletes the specified message

STAT Responds with the number and size of messages

LIST Responds with a list of the message numbers and sizes

POP3 Client Identification

If you have more than one domain, users running POP3 clients may need to type in their domain name, Windows 2000 user account alias, and their Exchange 2000 alias to gain access their mailbox to logon on to Exchange 2000 (in the following format):

domainname/Windows2000AccountAlias/ExchangeAlias

If they do not specify this information, the server will look for a matching user account name in the first Windows 2000 domain that it finds, which may or may not be the user’s domain

IMAP4 Message Transfer

IMAP4

Established Connection (143) Greeting

Logout Response(s)

Command(s) Listening

Port 143

Listening Port 143

Signing Off

IMAP4 is a more advanced protocol than POP3 IMAP4 supports functions that are not included in POP3, such as the manipulation of multiple server-based folders and folder hierarchies and the capability for an offline client to synchronize with the server IMAP4 provides superior online and offline operation, but has not yet been as widely adopted as POP3

IMAP4 Client Session

The following steps outline an IMAP4 session:

1 The IMAP4 client opens a connection to the IMAP4 server over TCP port

4 The host authenticates the client

5 Client sends SELECT command

6 IMAP4 initiates the SELECT state with the completion of a successful SELECT command While in the SELECT state, a client can request

message data and content

7 The IMAP4 client issues the LOGOUT command

8 The server closes the TCP/IP connection

Topic Objective

To explain the IMAP4

message transfer process

Lead-in

IMAP4 transfers messages

on TCP port 143 and uses

more complex commands

than POP3

IMAP4 Client Commands

IMAP4 commands are more complex than POP3 and include flags, or switches These commands include:

Command Purpose

LOGIN name password Identifies the client to the server and transmits the

password to the server

SELECT folder Selects a folder so those messages in the folder can be

accessed

FETCH message number Retrieves the entire message

CLOSE Returns the client to a state where you can select again and

removes messages that have the deleted flag set

EXPUNGE Removes the messages that have the deleted flag set

STORE message Alters the data associated with a message

LIST Provides a list of folders stored in the mailbox

SUB folder name Returns a list of all folders stored within the specified

folder

LOGOUT Indicates that the client is closing the connection to the

server

POP3 and IMAP4 Authentication and Encryption

POP3 or IMAP4 Server

POP3 or IMAP4 Server

TCP/IP PORT

TCP/IP PORT

POP3 POP3-SSL 110 993 110 993

IMAP4 IMAP4-SSL 143 995

143 995

Basic or Windows Integrated Authentication Basic or Windows Integrated Authentication using SSL

Protocol security is comprised of two distinct components, authentication and encryption Authentication is the process of identifying the user who is making the request Encryption is a method of providing a secure encrypted channel for transmitting data

User Authentication Methods

POP3 and IMAP4 support the following types of user authentication The authentication method that you use will depend on the client

! Basic authentication uses clear text to perform a simple challenge and response authentication Basic authentication requires users to enter their user name, domain, and password to gain access to mailbox data It is recommended that you implement basic authentication in conjunction with Secure Sockets Layer (SSL) to encrypt the user name and password

! Integrated Windows Authentication sends the username and password as an encrypted value for highest security Integrated Windows Authentication uses the Windows NT LAN Manager (NTLM) protocol for non-Windows

2000 networking clients and Kerberos security for Windows 2000 clients Integrated Windows Authentication supports SSL for encryption

SSL Encryption

SSL uses public/private key encryption technology to ensure privacy through an encrypted channel Both basic and Integrated Windows Authentication can use SSL SSL is not a type of authentication; instead, it provides a secure

connection between client and server over which all session traffic, including authentication, occurs SSL provides the encrypted channel to perform the process

Topic Objective

To explain how POP3 and

IMAP4 clients authenticate

and the encryption method

that is used

Lead-in

POP3 and IMAP clients

support basic and NTLM

authentication and SSL

encryption

It is important that students

understand that SSL is not a

type of authentication

POP3 and IMAP4 TCP Ports

IMAP4 and POP3 have designated TCP port numbers When using SSL to create an encrypted channel, messages transfer takes place on different ports than when not using SSL The following table describes the port numbers:

POP3 Basic and Integrated Windows Authentication 110

Basic and Integrated Windows Authentication using SSL

993 IMAP4 Basic and Integrated Windows Authentication 143

Basic and Integrated Windows Authentication using SSL

995

LDAP Functionality

DSACCESS

Exchange 2000

Recipient Update Service System

Attendant

Windows 2000

Global Catalog Server

Windows 2000

LDA P 38

9 LDA P 38

Domain Controller

Exchange 2000 uses Lightweight Directory Access Protocol (LDAP) version 3

to query and modify Active Directory LDAP is a message-based protocol and provides access to directory services for Exchange 2000 and some Exchange

2000 clients

LDAP is based on the X.500 directory standard and is supported by TCP/IP For more information on LDAP, see RFC 1777, 1823, and 2151

Components That Use LDAP

The following components use LDAP to communicate:

! The Exchange 2000 component, DSAccess, accesses Active Directory by using LDAP for quick and reliable access

! The Recipient Update Service also uses LDAP to build address lists

! Exchange System Manager uses LDAP to view Active Directory objects

Topic Objective

To explain the function of

LDAP

Lead-in

LDAP is used to query and

modify directory information

in Active Directory

Note

LDAP Session

A LDAP session starts with the global catalog server using Kerberos to authenticate the server issuing the LDAP query Next, the server builds a directory services request in the form of a query message, which is then sent to the global catalog server The global catalog server receives the message, attempts to resolve the query, and returns a result or a series of results The server builds the LDAP query using the directory structure to identify where the information is located This process makes LDAP a very efficient query

protocol

The default LDAP port is 389 Exchange 2000 uses this port to access Active Directory domain controllers LDAP queries to the global catalog use TCP port 3268

Note

Kerberos Authentication

Windows 2000 DC Key Distribution Center Kerberos

Client

Application Server

Send session ticket to Application Server

(Optional) Send confirmation of identity to client

Authentication Service

Authentication Service

Ticket-Granting Service

Ticket-Granting Service

1

2 3

5 6

Request a ticket for TGS Return Ticket-Granting Ticket to client Send Ticket-Granting Ticket and

request for ticket to Application Server Return ticket for the Application Server

4

Kerberos is an authentication mechanism that uses secret key technology It enables a client to prove its identity to a server, and the server to a client, through the use of an electronic ticket

Exchange 2000 uses Kerberos version 5

Kerberos Authentication Uses

Exchange 2000 uses Kerberos in the following ways:

! Used to authenticate between Exchange 2000 SMTP servers in the same Exchange 2000 organization

! Used by a global catalog server to authenticate an Exchange 2000 server during an LDAP query

! Used by Outlook Web Access users running Internet Explorer version 5 when accessing mailbox data (without a front-end server)

! Used by the Routing Group Master when authenticating a server running Exchange 2000 relaying Link State information

Kerberos Authentication Session

When a server running Windows 2000 and Kerberos needs to authenticate a client, the Authentication Service issues a Kerberos ticket that contains a session key for both the client and the server The basic Kerberos communication sequence consists of a series of messages:

1 Kerberos Authentication Service Request When the client logs on to a domain, the client contacts the Key Distribution Center's Authentication Service for a short-lived ticket that is a message containing the client's identity and Security Identifier (SID) This is called a ticket-granting ticket

Topic Objective

To describe the Kerberos

authentication process

Lead-in

Kerberos uses secret key

technology that provides

electronic tickets to servers

and clients so that they can

prove their identity to each

other

Note

Use the slide to explain the

steps

2 Kerberos Authentication Service Response The Authentication Service sends a LDAP query to Active Directory Service to find the user object, from which it will get the user's SID and group membership Once the AS has the user information, it constructs the ticket-granting ticket and creates a session key for the client for encrypting communications with the Ticket-Granting Service The ticket-granting ticket has a limited lifetime Even though the client received the ticket-granting ticket, the client has not yet been granted access to any resources, not even to the local computer

The Authentication Service could simply issue a ticket for the target server, but if the Authentication Service issued tickets directly, the user would have to enter a password for every new server/service connection Issuing a ticket-granting ticket with a short lifespan (typically 10 hours) gives users a valid ticket for the Ticket-Granting Service, which issues target-server tickets, and the user only has to enter a password at logon

3 Kerberos Ticket Granting Server Request

To gain access to local and network resources, the client sends a request to the Ticket-Granting Service for a ticket for the local computer or some

network server or service This ticket is often referred to as the service ticket To get the ticket, the client presents an authenticator and the name of

the target server to the ticket-granting ticket

4 Kerberos Ticket Granting Server Response The Ticket-Granting Service examines the ticket-granting ticket and the authenticator If these are acceptable, the Ticket-Granting Service creates a service ticket The client's identity is taken from the ticket-granting ticket and copied to the service ticket The service ticket is then sent to the client The Ticket-Granting Service cannot determine if the user will be able

to get access to the target server It simply returns a valid ticket

Authentication does not imply authorization

5 Kerberos Application Server Request Once the client has the service ticket, it sends the service ticket and a new authenticator to the target server, requesting access The server will decrypt the service ticket, validate the authenticator, and create an access token for the user based on the SIDs in the ticket

6 Kerberos Application Server Response (Optional) The client has the option to request that the target server verify its identity

This is called mutual authentication If this is requested, the target server

will take the client computer's timestamp from the authenticator, encrypt it with the session key the Ticket-Granting Service provided for client-target server messages, and send it to the client

Note

Note

# Front-end/Back-end Server Configuration and

Security

! Introduction to Front-End/Back-End Servers

! Scalability and Load Balancing

! Authentication Process

! Front-end Server Sits In the Perimeter Network

! Front-end Server Sits Outside the Firewall

! Front-end Server Inside the Firewall

! Alternatives to Opening Ports

You can scale Exchange 2000 to accommodate more users by implementing front-end and back-end servers With front-end /back-end server configuration, you must also determine which authentication method and firewall

configuration to use to provide a secure environment for Exchange 2000 data and Internet clients

You have a number of different options for securing Exchange 2000 data by using firewalls with front-end servers running Exchange 2000 The option that you select is based on your security requirements and the protocols that your clients use

You can locate your front-end server in the following locations:

! Within a perimeter network

! Outside of the firewall

! Inside the firewall Depending on your security requirements, you may not be able to open the appropriate TCP ports to enable communications between servers and the Internet You may need to configure DNS

For more information on Exchange 2000 front-end and back-end server

configuration, see the white paper entitled, Exchange 2000 Front-end and Back-end Topology included on your student compact disc