How to Create the Account Used for Cross-Forest Authentication

  • Article

 

Before you set up a connector in a connecting forest, you must create an account in the destination forest (the forest to which you are connecting) that has Send As permissions. Configure these permissions on all servers in the destination forest that will accept inbound connections from the connecting forest.

Before You Begin

Before you perform the procedure in this topic, read Deployment Scenarios for Internet Connectivity.

The following permissions are required to perform this procedure:

  • Member of the local administrators group and a member of a group that has had the Exchange Administrators role applied at the organizational level

Procedure

To create the account used for cross-forest authentication

  1. In the destination forest (in this case, the Fabrikam forest), create a user account in Active Directory Users and Computers. This account must be an active account, but it does not require the following permissions: log on locally and log on through terminal server.

  2. On each Exchange server that will accept incoming connections from the connecting forest, configure Send As permissions for this account:

    Note

    Be careful when creating the password policy. If you set the password to expire, ensure that you have a policy in place that changes the password before its expiration date. If the password for this account expires, cross-forest authentication fails.

  3. Start Exchange System Manager: Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.

  4. In the console tree, expand Servers, right-click an Exchange server that accepts incoming connections from the connecting forest, and then click Properties.

  5. In <Server Name> Properties, on the Security tab, click Add.

  6. In Select Users, Computers, or Groups, add the account that you just created, and then click OK.

  7. On the Security tab, under Group or user names, select the account.

  8. Under Permissions for connector, next to Send As, select the Allow check box.

    Allowing the Send As permission for a connector

    cbb2120d-f9e7-46bc-8738-869f94ca197a