Active Directory integrated authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Active Directory integrated authentication

You can use Active Directory integrated authentication to incorporate the POP3 service into your existing Active Directory domain. If mailboxes are created that correspond to existing Active Directory user accounts, users can use their existing Active Directory domain user name and password to send and receive e-mail. For more information about Active Directory, see Active Directory.

Use Active Directory integrated authentication if:

• The server on which you want to install POP3 service is a member of an Active Directory domain or is an Active Directory domain controller.

You can use Active Directory integrated authentication to support multiple POP3 e-mail domains, and you can use the same user name across different POP3 e-mail domains. For example, you can have a user named someone@example.com and a user named someone@northwindtraders.com.

If you use Active Directory integrated authentication and have multiple POP3 e-mail domains, when you create a mailbox, be sure to consider whether the new mailbox has the same name as an existing mailbox in another POP3 e-mail domain. Each mailbox is associated with an Active Directory user account that has both a user logon name and pre-Windows 2000 user logon name. The user logon name is the name of the Active Directory user account and the POP3 mailbox.

Usually, the pre-Windows 2000 user logon name is the same as the user logon name. If, however, you try to create a mailbox and user account when there is an existing user account with the same pre-Windows 2000 user logon name, a naming conflict will occur. Active Directory does not support multiple accounts with the same pre-Windows 2000 user logon name.

If a naming conflict occurs, the mailbox name and e-mail address are not affected, but the account's pre-Windows 2000 logon name is modified to prevent any naming conflict with the existing account.

If you use Secure Password Authentication and a naming conflict has occurred, the pre-Windows 2000 logon name must be used for e-mail client authentication. To determine the modified logon name, go to the Active Directory Users and Computers snap-in located in the Administrative Tools menu. Go to the Users folder, right-click the user account, and then click Properties. Click the Account tab. The modified account name will appear in User logon name (pre-Windows 2000).

You must note the pre-Windows 2000 logon name and provide it to the user. For more information about configuring e-mail clients to use Secure Password Authentication, see Configure Outlook Express for Secure Password Authentication.

E-mail client authentication

Active Directory integrated authentication supports both plaintext and Secure Password Authentication (SPA) e-mail client authentication. Because plaintext transmits the user's credentials in an unsecured, unencrypted format, however, the use of plaintext authentication is not recommended. SPA does require e-mail clients to transmit both the user name and password using secure authentication; it is therefore recommended over plaintext authentication. For more information, see Configure the mail server to require Secure Password Authentication.

Upgrading from local Windows accounts to Active Directory integrated authentication

If you are upgrading your mail server to a domain controller, and you were using local Windows accounts authentication, you must complete the steps described in the following table before you can configure the POP3 service for Active Directory integrated authentication.

Notes

• Installing Active Directory on a member server without following the recommended procedure can prevent the POP3 service from working correctly.

• If you are using Active Directory integrated authentication, you must log on to the Active Directory domain, not the local computer, to administer the POP3 service.