This article covers the configuration and required permissions when setting up MailEnable data and configuration on a backend or remote NAS.
MailEnable clustering relies on an underlying security model whereby the service accounts either reside in the same security database (SAM/Active Directory) or can be impersonated using shared credentials (common passwords across different security databases).
Most NAS devices allow you to configure a designated authentication source (eg: Windows domain/NDS/LDAP, etc). As such, in order for MailEnable services to effectively access the remote NAS, equivalent and appropriate access needs to be negotiated.
Depending on the NAS configuration, it is likely that the underlying security database has an IME_ADMIN account defined (with a password matching that of the member servers), and that account is given permission to the MailEnable folders in question.
MailEnable web administration and web mail use the IME_ADMIN account, and in any clustered scenario, the backend file repository must grant full access to any service requesting access under this account. Interactive logins using the MailEnable administration program will require that the logged in user has full control over the backend storage repository.
When you configure MailEnable in a NAS environment and are having problems it is most likely that the above mentioned permissions are not granted. The Diagnostic Report within MailEnable may report this and state that the IME_ADMIN account of the MailEnable member server does not have access to the CONFIG folder on the remote volume. You could validate this by using the MEInstaller (Start->Run->MEInstaller.exe) utility to set a known password for the IME_ADMIN account and then attempt to interactively login as that user and copy test files to the respective NAS remote folders.
The same permissions settings will need to be used for the IME_STORE_GROUP and IME_SYSTEM accounts.
Permission errors after making a MailEnable cluster:Article ME020342
A way to validate permission issues is to use the Microsoft Process Monitor utility. This utility is run on the MailEnable member at the time that you are attempting to use either web mail or web administration and will report any file I/O failures/permission or denied errors. It also shows the identity of the service account that the request was made under. The utility can be accessed at http://technet.microsoft.com/en-us/sysinternals/bb896645.
|Product:||MailEnable (Ent-Any Ent-1.X Ent-2.X)|
|Keywords:||NAS SAM Clustering permissions|
|Class:||BUG: Product Defect/Bug|
|Revised:||Wednesday, May 4, 2016|