Understanding Edge Subscription Credentials
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic explains how the Edge Subscription process provisions the credentials that are used to help secure the EdgeSync synchronization process in Microsoft Exchange Server 2007 and how the Microsoft Exchange EdgeSync service uses those credentials to establish a secure Lightweight Directory Access Protocol (LDAP) connection between a Hub Transport server and an Edge Transport server.
An Edge Transport server can be subscribed to an Active Directory directory service site. When you subscribe the Edge Transport server to the Active Directory site, you associate the Edge Transport server with the Exchange organization. This process reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then push that information to the Active Directory Application Mode (ADAM) directory service instance on the Edge Transport server. You must create an Edge Subscription if you plan to use the recipient lookup or safelist aggregation anti-spam features, or if you plan to help secure SMTP communications with partner domains by using mutual TLS.
For more information about the features that require synchronization of data from Active Directory to ADAM, see the following topics:
Edge Subscription Process
The Edge Transport server is subscribed to an Active Directory site to establish a synchronization relationship between the Hub Transport servers in an Active Directory site and the subscribed Edge Transport server. The Microsoft Exchange EdgeSync service is the data synchronization service that runs on Hub Transport servers. This service performs one-way replication of configuration and recipient data from Active Directory to the ADAM instance on the subscribed Edge Transport server. The credentials that are provisioned during the Edge Subscription process are used to help secure the LDAP connection between a Hub Transport server and an Edge Transport server in the perimeter network.
When you run the New-EdgeSubscription cmdlet in the Exchange Management Shell on an Edge Transport server, the EdgeSync bootstrap replication account (ESBRA) credentials are created in the ADAM directory on the local server and then written to the Edge Subscription file. These credentials are used only to establish the initial synchronization and will expire 1,440 minutes (24 hours) after the Edge Subscription file is created. If the Edge Subscription process is not completed within that time, you must run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Edge Transport server again to create a new Edge Subscription file.
The following table describes the data that is contained in the Edge Subscription XML file.
Edge Subscription file contents
Subscription data | Description |
---|---|
Edge Server Name |
The NetBIOS name of the Edge Transport server. The name of the Edge Subscription in Active Directory will match this name. |
Edge Server FQDN |
The fully-qualified domain name (FQDN) of the Edge Transport server. The Hub Transport servers in the subscribed Active Directory site must be able to locate the Edge Transport server by using DNS to resolve the FQDN. |
Edge Certificate binary large object (BLOB) |
The public key of the Edge Transport server's self-signed certificate. |
ESRA Username |
The name assigned to the ESBRA. The ESBRA account has the following format: ESRA.Edge Transport server name. ESRA means EdgeSync replication account. |
ESRA Password |
The password assigned to the ESBRA. The password is generated by using a random number generator and is stored in the Edge Subscription file in clear text. |
Effective Date |
The creation date of the Edge Subscription file. |
Duration |
The length of time that these credentials will be valid before they expire. The ESBRA account is valid for only 24 hours. |
ADAM SSL Port |
The secure LDAP port to which the EdgeSync service binds when synchronizing data from Active Directory to ADAM. By default, this is TCP port 50636. |
Product ID |
The licensing information for the Edge Transport server. After an Edge Transport server is subscribed to Active Directory, the licensing information about the Edge Transport server is displayed in the Exchange Management Console for the Exchange organization. You must license the Edge Transport server before you create the Edge Subscription for this information to be displayed correctly. |
Important
The ESBRA credentials are written to the Edge Subscription file in clear text. You must protect this file throughout the subscription process. After the Edge Subscription file is imported to a Hub Transport server, you should immediately delete the Edge Subscription file from the Edge Transport server, the Hub Transport server, and any removable media.
EdgeSync Replication Accounts
EdgeSync replication accounts (ESRA) are an important part of EdgeSync security. Authentication and authorization of the ESRA is the mechanism used to help secure the connection between an Edge Transport server and a Hub Transport server.
The ESBRA contained in the Edge Subscription file is used to establish a secure LDAP connection during the initial synchronization. After the Edge Subscription file is imported to a Hub Transport server in the Active Directory site to which the Edge Transport is being subscribed, additional ESRA accounts are created in Active Directory for each Edge Transport-Hub Transport server pair. During initial synchronization, the newly created ESRA credentials are replicated to ADAM. These ESRA credentials are used to help secure later synchronization sessions.
Each EdgeSync replication account is assigned the properties described in the following table.
Ms-Exch-EdgeSyncCredential Properties
Property name | Type | Description |
---|---|---|
TargetServerFQDN |
String |
The Edge Transport server that will accept these credentials. |
SourceServerFQDN |
String |
The Hub Transport server that will present these credentials. This value is empty if the credential is the bootstrap credential. |
EffectiveTime |
DateTime (UTC) |
When to start using this credential. |
ExpirationTime |
DateTime (UTC) |
When to stop honoring this credential. |
UserName |
String |
The user name that is used to authenticate. |
Password |
Byte |
The password that is used to authenticate. The password is encrypted by using ms-Exch-EdgeSync-Certificate. |
The following sections of this topic describe how the ESRA credentials are provisioned and used during the EdgeSync synchronization process.
Provisioning the EdgeSync Bootstrap Replication Account
When the New-EdgeSubscription cmdlet is run on the Edge Transport server, the ESBRA is provisioned as follows:
A self-signed certificate (Edge-Cert) is created on the Edge Transport server. The private key is stored in the local computer store and the public key is written to the Edge Subscription file.
The ESBRA (ESRA.Edge) is created in ADAM and the credentials are written to the Edge Subscription file.
The Edge Subscription file is exported by copying it to removable media. The file is now ready to import to a Hub Transport server.
Provisioning EdgeSync Replication Accounts in Active Directory
When the Edge Subscription file is imported on a Hub Transport server, the following steps occur to establish a record of the Edge Subscription in Active Directory and to provision additional ESRA credentials.
An Edge Transport server configuration object is created in Active Directory. The Edge-Cert certificate is written to this object as an attribute.
Every Hub Transport server in the subscribed Active Directory site receives an Active Directory notification that a new Edge Subscription has been registered. As soon as the notification is received, each Hub Transport server retrieves the ESRA.Edge account and encrypts the account by using the Edge-Cert public key. The encrypted ESRA.Edge account is written to the Edge Transport server configuration object.
Each Hub Transport server creates a self-signed certificate (Hub-Cert). The private key is stored in the local computer store and the public key is stored in the Hub Transport server configuration object in Active Directory.
Each Hub Transport server encrypts the ESRA.Edge account by using the public key of its own Hub-Cert certificate and then stores it on its own configuration object.
Each Hub Transport server generates an ESRA for each existing Edge Transport server configuration object in Active Directory (ESRA.Hub.Edge). The account name is generated by using the following naming convention:
ESRA.<Hub Transport server NetBIOS Name>.<Edge Transport server NetBIOS Name>.<Effective Date UTC Time>
Example: ESRA.Hub.Edge.01032007
The password for ESRA.Hub.Edge is generated by a random number generator and is encrypted by using the public key of the Hub-Cert certificate. The generated password has the maximum length allowed for Microsoft Windows Server.
Each ESRA.Hub.Edge account is encrypted by using the public key of the Edge-Cert certificate and is stored on the Edge Transport server configuration object in Active Directory.
The following sections of this topic explain how these accounts are used during the EdgeSync synchronization process.
Authenticating Initial Replication
The ESBRA account, ESRA.Edge, is used only when establishing the initial synchronization session. During the first EdgeSync synchronization session, the additional ESRA accounts, ESRA.Hub.Edge, are replicated to ADAM. These accounts are used to authenticate later EdgeSync synchronization sessions.
The Hub Transport server that performs the initial replication is determined randomly. The first Hub Transport server in the Active Directory site to perform a topology scan and discover the new Edge Subscription performs the initial replication. Because this discovery is based on the timing of the topology scan, any Hub Transport server in the site may perform the initial replication.
The Microsoft Exchange EdgeSync service initiates a secure LDAP session from the Hub Transport server to the Edge Transport server. The Edge Transport server presents its self-signed certificate and the Hub Transport server verifies that the certificate matches the certificate that is stored on the Edge Transport server configuration object in Active Directory. After the Edge Transport server's identity is verified, the Hub Transport server provides the credentials of the ESRA.Edge account to the Edge Transport server. The Edge Transport server verifies the credentials against the account that is stored in ADAM.
The Microsoft Exchange EdgeSync service on the Hub Transport server then pushes the topology, configuration, and recipient data from Active Directory to ADAM. The change to the Edge Transport server configuration object in Active Directory is replicated to ADAM. ADAM receives the newly added ESRA.Hub.Edge entries and the Edge Credential service creates the corresponding ADAM account. These accounts are now available to authenticate later scheduled EdgeSync synchronization sessions.
Edge Credential Service
The Edge Credential service is part of the Edge Subscription process. It runs only on the Edge Transport server. This service creates the reciprocal ESRA accounts in ADAM so that a Hub Transport server can authenticate to an Edge Transport server to perform EdgeSync synchronization. The Microsoft Exchange EdgeSync service does not communicate directly with the Edge Credential service. The Edge Credential service communicates with ADAM and installs the ESRA credentials whenever the Hub Transport server updates them.
Authenticating Scheduled Synchronization Sessions
After initial EdgeSync synchronization finishes, the EdgeSync synchronization schedule is established and data that has changed in Active Directory is regularly updated in ADAM. A Hub Transport server initiates a secure LDAP session with the ADAM instance on the Edge Transport server. ADAM proves its identity to that Hub Transport server by presenting its self-signed certificate. The Hub Transport server presents its ESRA.Hub.Edge credentials to ADAM. The ESRA.Hub.Edge password is encrypted by using the Hub Transport server's self-signed certificate's public key. This means that only that particular Hub Transport server can use those credentials to authenticate to ADAM.
Renewing EdgeSync Replication Accounts
The password for the ESRA account must comply with the local server's password policy. To prevent the password renewal process from causing temporary authentication failure, a second ESRA.Hub.Edge account is created seven days before the first ESRA.Hub.Edge account expires with an effective time that is three days before the first ESRA expiration time. As soon as the second ESRA account becomes effective, EdgeSync stops using the first account and starts to use the second account. When the expiration time for the first account is reached, those ESRA credentials are deleted. This renewal process will continue until the Edge Subscription is removed.
For More Information
For more information, see the following topics: