When implementing CAS proxying in a Resource Forest topology, you need to perform the following, additional configuration steps to enable OWA users to access linked mailboxes using Integrated Windows Access (IWA):
Ensure that the account used by the Enterprise Vault Exchange Mailbox archiving task is in the Resource Forest. Typically the task runs as the Vault Service account.
If calls are to be made from a user in a different forest from the one in which Exchange Server 2007 is installed, then you must ensure that a bi-directional Forest trust is configured.
For more information on this requirement, see the following technical note on the Symantec Enterprise Support site, http://entsupport.symantec.com/docs/308042.
Using Exchange Management Shell, run the following command line to give the Enterprise Vault Exchange Mailbox task account the required access rights on the linked mailbox:
Add-MailboxPermission -Identity <LinkedMailboxName> -User <MailboxTaskAccount> -AccessRights SendAs
Add-MailboxPermission -Identity "Service Requests" -User vsa -AccessRights SendAs
To set the permission on many mailboxes, you can use the Get-Mailbox cmdlet in a PowerShell pipeline.
On the CAS Servers associated with each user who
will access the linked mailbox, edit the OWA configuration file,
Web.Config
, as follows:
Take a backup copy of the file,
Add the following entry to the section of the file:
<add key="EnterpriseVault_VaultServiceAccountUPN" value="MailboxTaskAccountUPN">
<add key="EnterpriseVault_VaultServiceAccountUPN" value="vsa@domain.com">
Note that the value given must be the User Principal Name (UPN) for the Exchange Mailbox task account, and this account must be in the Resource Forest.