This administration guide walks you through the entire process of installing and setting up the eTASK.Outlook add-in, which requires a step-by-step approach. At the end of the process, you will have a system ready for production use. The necessary steps are explained in this document.
Functional installation of the eTASK.FM portal starting with eTASK 2020
Compliance with 📄 Systemvoraussetzungen IC1051
Administrative rights for eTASK.SmartReservation
Rights in Exchange to create and administer room mailboxes
Machine user for server-side booking processes with "Send As" rights exclusively for the room mailboxes to be set up
Knowledge of configuring Exchange and Active Directory
The configuration parameter "USEUTC" has the value "1" (this is the default setting)
Access to Microsoft Azure
For on-premises Exchange servers only:
The Kerberos authentication from the client goes through the web server to the Exchange Server
The size of the Kerberos ticket must be limited to 120 groups in AD
In Kerberos, MaxFieldLength and MaxRequestBytes must be set to "87380 (0x15554)"
Flawless installation of Microsoft Exchange Server 2013 or a newer version (we recommend a newer version, e.g., Microsoft Exchange Server 2019)
Setting up eTASK.SmartReservation does not require any programmatic changes to the Exchange Server or Active Directory. All necessary configurations are performed using the administration tools provided by Microsoft (EMC, AD Users & Computers, PowerShell).
Synchronizing bookings between Exchange and eTASK primarily requires the correct configuration of access rights for Exchange and eTASK.
During system design, care was taken to ensure that no excessive permissions are required to set up the eTASK.Outlook add-in. The system operates with the minimum necessary permissions to exchange bookings between the two systems.
eTASK distinguishes between two internal interfaces:
eTASK Server - Exchange Server
Server-side data exchange takes place within the context of an account created specifically for this purpose. This account has a non-expiring password. The account has minimal permissions for the meeting room mailboxes in Exchange (delegate permissions). The account can be configured separately for each meeting room.
For setup, this account is stored in eTASK. Server-side data exchange then takes place within the context of this account. The account’s password is stored in encrypted form in the eTASK database and cannot be viewed in plain text.
Outlook Add-In (OAI) - eTASK Server - Exchange Server
For Online Exchange with Office 365
Client-side data exchange from the OAI takes place via the account of the user logged in to the computer.
For on-premises Exchange servers
Client-side data exchange from the OAI does not take place via the aforementioned account. To avoid requiring the OAI user to re-enter their password, access is granted using the user’s Windows login credentials. In this process, a Kerberos ticket is generated on the client. This ticket is used to log in to the eTASK Server and the Exchange Server. This authorization model strictly follows the procedures specified by Microsoft for these scenarios.
Client-side data exchange requires a fully functional Kerberos infrastructure in the customer’s network. Since Kerberos in Active Directory serves as the foundation for many other services, these prerequisites should typically be met without requiring additional measures.
The administration guide assumes a “single-domain system.” Setup in “multi-domain systems” may differ. In particular, when configuring SPNs (Service Principal Names), the existing infrastructure may need to be analyzed to determine the correct SPNs. This analysis requires elevated user privileges and must therefore be performed by the customer’s administrators.
The following data must be determined during the analysis:
Web server FQDN (eTASK)
DNS: Alias (CNAME) for web server
DNS: Host (A) record for web server/website
Email domain (*@customer.com)
Are users in different email domains? If so, which ones?
List of SPNs for the web server (SETSPN –L HOST)
Once the analysis is available, eTASK will specify the further steps required for error-free commissioning.
In large environments, eTASK recommends a test installation of the eTASK portal on a separate quality assurance server to avoid compromising the operation of the eTASK live server during setup.
To assist with the commissioning process, eTASK has created a small test program (eTASKIdentity.exe) and a Kerberos checklist. Request these resources from eTASK if needed.