Prerequisites

Exchange Server Requirements

  • Exchange Server: Exchange Server 2016 or 2019 (verified against Exchange Server 2019). Note the current CU level.
  • Dedicated Server: Exchange must not be co-located with the Domain Controller role (causes Kerberos SPN conflicts).
  • Exchange Management Shell: EMS must launch and run without errors locally on the Exchange server.
  • FQDN: A resolvable fully-qualified domain name for the target Exchange server, matching the SSL certificate CN/SAN.

Network Requirements

  • Port 443 (HTTPS): Open from the DSPM connector host to Exchange (required for all three methods).
  • Port 88 (Kerberos KDC): Reachable from the connector to a Domain Controller (required only for SPNEGO/Kerberos).
  • No intercepting proxy/WAF: Proxies or WAFs between the connector and Exchange may break WinRM/SOAP traffic to /PowerShell/ and /EWS/.

Active Directory & Service Account Requirements

  • Dedicated Service Account: A dedicated AD account for the connector (shared admin accounts are not recommended).
  • Organization Management: The service account must be a member of the Exchange 'Organization Management' role group.
  • MFA Exempt: Basic and NTLM authentication do not support MFA — the service account must be MFA-exempt.
  • Non-expiring Password: Expired credentials silently break scans.
  • AD Domain FQDN: Required for NTLM/Kerberos credential construction (e.g. corp.example.com).

Access Requirements

  • Administrator Access: Local administrator rights on the Exchange server to run EMS cmdlets and edit IIS/applicationHost.config.
  • IIS Management: Access to IIS Manager on the Exchange server (Client Access / front-end and Back End sites).