Skip to main content
Skip table of contents

Exchange Integration

This document explains how to implement Monosync with a Exchange server.

πŸ“˜ Instructions

This documentation contains 2 main steps for integration.

  1. Service User Permissions

  2. Active Directory Delegation

  3. PowerShell Remoting

1. Service User Permission

When trying to create a PowerShell session with a remote computer as a non-privileged user account (Enter-PSSession an access error occurs:

Enter-PSSession : Connecting to remote server failed with the following error message : Access is denied.

Type Get-PSSessionConfiguration command on the exchange server via powershell to verify which users can run remote powershell commands.

As you can see, the access is allowed for the following built-in groups:

  1. BUILTIN\Administrators β€” AccessAllowed,

  2. BUILTIN\Remote Management Users β€” AccessAllowed

So, to let a user connect to a remote machine through WinRM, it’s enough to be a member of the built-in local group of Administrators or Remote Management Users security group (this group is created by default starting from PowerShell 4.0). This group also has access to WMI resources via management protocols (e.g., WS-Management)

A user can be added to the group using Computer Management :

Or using command :

net localgroup "Remote Management Users" /add monosync_svc

2. Active Directory Delegation

Monosync has opening two(2) different connection to exchange server via PowerShell. After first connection established second connection is using Kerberos Authentication. For supporting Kerberos authentication β€œTrustedForDelegation” set to be true in the Active Directory.

Via PowerShell Command :

Set-ADAccountControl -Identity "CN=EXCH01,CN=Computers,DC=monofor,DC=com" -TrustedForDelegation $true

Via Active Directory Users and Computers :

Find Exchange server computer object in the Active Directory right click and choose

Properties β†’ Delegation β†’ Trust this computer for delegation to any service (Kerberos only)

Via PowerShell

Only TrustedDelegation

Get-ADComputer -Identity "<ComputerName>" -Properties * | Format-List -Property TrustedForDelegation

Get all delegation attributes

Get-ADComputer -Identity "<ComputerName>" -Properties * | Format-List -Property *delegat*,msDS-AllowedToActOnBehalfOfOtherIdentity

3. PowerShell Remoting

3.1. Enable PowerShell Remoting

Follow below instructions to enable and configure PowerShell Remoting Options.

Please run the below command to enable PowerShell Remoting

Enable-PSRemoting -SkipNetworkProfileCheck

Check WinRM service is running or not :

Get-Service WinRM

If it is running below response will be return

If NOT it can be run below command to enable with default configuration :

winrm quickconfig

3.2. WinRM Listener Configuration

Verify WinRM listener configuration

Get-Item WSMan:\localhost\listener\*

If command returns HTTPS listener, check certificate assigned correctly.

Get-Item WSMan:\localhost\listener\Listener_1305953032\*

3.3. WinRM HTTPS Listener

If HTTPS listener not configured it can be done with below steps:

Generate certificate to use in the HTTPS listener. Please type your full FQDN of the exchange machine with -DnsName like

New-SelfSignedCertificate -DnsName "" -CertStoreLocation Cert:\LocalMachine\My

This command will create certificate and return the certificate information. Thumbprint will be used while creating HTTPS listener.

After certificate generated successfully HTTPS listener will be created with below command. In this command we need 2 arguments Hostname and Certificate Thumbprint.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=""; CertificateThumbprint="6A8D7E5537D441190FD72C7C2E879A064072CE0F"}'

Now HTTPS Listener is created successfully.

3.3.1. Add New Certificate to Existing HTTPS Listener

If exchange certificate is expired and add new certificate to existing HTTPS_Listener please follow below steps.

Check new certificate is installed on the machine and verify information. Please change value with your certificate CN.

Get-ChildItem -Path Cert:LocalMachine\MY | Where-Object {$_.Subject -match "" } | Select-Object FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

Copy Thumprint of the certificate then check HTTPS_Listener name.

Get-Item WSMan:\localhost\listener\*

Set new Thumbprint for HTTPS_Listener

Set-Item WSMan:\localhost\Listener\Listener_1305953032\CertificateThumbprint -Value 6A8D7E5537D441190FD72C7C2E879A064072CE0F

And verify new certificate is assign to the HTTPS_Listener

Get-Item WSMan:\localhost\Listener\Listener_1305953032\*

3.4. WinRM Authentication Settings

Please set WinRM Service Authentication CBTHardeningLevel to None with below command.

Set-Item WSMan:\localhost\Service\Auth\CbtHardeningLevel -Value None

Check WinRM Service Authentication CBTHardeningLevel was set or not with below command.

Get-Item WSMan:\localhost\Service\Auth\*

3.5. WinRM Trusted Host Configuration

Last point is setting up the TrustedHost. TrustedHost means which computer or IP can access via Remote PowerShell

Check TrustedHost settings:

Get-Item WSMan:\localhost\Client\TrustedHosts

Set to Any PC

Set-Item WSMan:\localhost\Client\TrustedHosts -Value *

Set to Any pc in the Domain

Set-Item WSMan:\localhost\Client\TrustedHosts *

Set to Specific computer with the IP address

Set-Item WSMan:\localhost\Client\TrustedHosts -Value ','

Verify TrustedHost with below command.

Get-Item WSMan:\localhost\Client\TrustedHosts

Finally Monosync will be communicate with the Exchange server via PowerShell. If multiple exchange server has in the infrastructure please do all steps for all Exchange servers.

Firewall port needs to be open between Monosync Servers to Exchange Servers.




Monosync Servers

Exchange Servers


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.