+1 408 879 5600 (USA) +44 (0) 113 383 0125 (UK)

• MailSite 8.x, 9.x
• ExpressPro 8.x, 9.x
• Express 8.x, 9.x

This document details the suggested permissions and account settings for MailSite ExpressPro

ExpressPro NT account impersonation

By default ExpressPro will run the local MSIISUSER account or the service account you entered during the install process. Should you wish to use a different account, or if you need to reset the password on this account you will need update IIS to reflect this change in the following places:

Windows XP, Windows 2000, and Windows 2003 running in IIS5 isolation mode

1. The anonymous user impersonation setting on the ExpressPro virtual directory (accessed via the Directory Security properties tab).
2. The anonymous user impersonation setting on the WebCal virtual directory.
3. The anonymous user impersonation setting on the WSS virtual directory.
4. The impersonation settings in the MailSite\WebServices\Web.UI\web.config file. by default these will look like:
   
   <identity impersonate="true" userName="registry:HKLM\SOFTWARE\Rockliffe\MailSite\ExpressPro\identity\ASPNET_SETREG,userName" password="registry:HKLM\SOFTWARE\Rockliffe\MailSite\ExpressPro\identity\ASPNET_SETREG,password" />
   
   And need changing to:
   
   <identity impersonate="true" userName="DOMAIN\USER" password="PASSWORD" />
5. The impersonation settings in the MailSite\WebServices\Service.WebCal\web.config file.
6. The impersonation settings in the MailSite\WebServices\Service.Wss\web.config file.

Once all these steps are completed, restart IIS.

Windows 2003

1. The anonymous user impersonation setting on the ExpressPro virtual directory (accessed via the Directory Security properties tab).
2. The anonymous user impersonation setting on the WebCal virtual directory.
3. The anonymous user impersonation setting on the WSS virtual directory.
4. The anonymous user impersonation setting on the Microsoft-Server-ActiveSync virtual directory for MailSite 9.2 and later.
5. The impersonation account of the ExpressPro application pool. (The application pool is located in IIS under 'Application Pools'. The account settings are found on the 'Identity' properties tab.)
6. The user also needs to be made a member of the IIS_WPG NT users group on the local machine.

Once all these steps are completed, restart IIS.

Windows Server 2008

1. The anonymous user impersonation setting under properties of ExpressPro virtual directory > Directory Security > Edit (under Authentication and access control), then enter the new username/password.
2. Properties of WebCal virtual directory > Directory Security > Edit (under Authentication and access control), then enter the new password.
3. Properties of WSS virtual directory > Directory Security > Edit (under Authentication and access control), then enter the new password.
4. Properties of Microsoft-Server-ActiveSync virtual directory > Directory Security > Edit (under Authentication and access control), then enter the new password.
5. The 'ExpressPro' application pool, get the properties and then set the username/password on the Identity tab.
6. The user also needs to be made a member of the IIS_IUSRS users group on the local machine.

Once all these steps are completed, restart IIS.

ExpressPro User Permissions

The user that ExpressPro runs as needs to have the following file permissions:

1. Full Control on the BOX directory.
2. Modify Control on the 'MailSite\WebServices' directory, sub-folders and files.
3. Modify Control on the 'MailSite\Timezones' directory and sub-files.
4. Modify Control on the SPOOL directory.
5. Modify Control on the '%WINDIR% \Temp' directory.
6. Modify Control on the '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files' directory. For MailSite 9.5 and later '%WINDIR%Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files' directory

See these other knowledge base documents:

• 10454:ExpressPro Returns Service Unavailable
  
• 10104:Security & Permission Guide lines
  

Last revised 2012-2-9