Recently, one of my customers asked me how PIN expiration is determined in Unified Messaging. He claimed that after adding his CEO to a non-expiring UM Mailbox Policy, the CEO was prompted to change his PIN after 45 days. Having never experienced this behavior with any other customer since the release of Exchange 2007, I was admittedly skeptical of the story I was being told over the phone. So, I decided to dig in, to see whether we had a problem with our code.
There are a number of configuration objects that provide core functionality for a user who is enabled for Unified Messaging: the Dial Plan, the UM Mailbox Policy, the UM IP Gateway, and the UM Server. While the UM IP Gateway, the UM Dial Plan, and the UM server are involved in routing a call to Subscriber Access, the PIN authentication settings for the call are controlled by the user’s UM Mailbox Policy. Found under the PIN Policies tab of the UM Mailbox Policy, the PIN Lifetime option and its value determines how long the PIN can be used for authentication before a new PIN value is required.
You might be wondering, “Okay, but how does Unified Messaging enforce PIN expiration on a user-by-user basis?” To answer that question, we first need to understand the Subscriber Access authentication process, and we need to perform some basic calculations involving Windows DateTime values.
Subscriber Access Authentication
When a UM enabled user calls the Subscriber Access number associated with a Dial Plan, the Unified Messaging server will first extract the Caller ID data from the call and attempt to find the extension in Active Directory. If the UM server is unable to resolve the extension to a known EUM proxy address, the caller will be prompted to enter their extension. With the caller now known to Unified Messaging, the UM server will then retrieve the PIN authentication settings from the user’s UM Mailbox Policy, including the number of days defined in the PIN Lifetime value if enabled.
Next, the caller will be prompted to enter their PIN. The UM server will use a MAPI call to read the salted hash of the user’s PIN from their mailbox, and it will use an LDAP call to read the PIN checksum stored in the properties of the user account from Active Directory. If the PIN value was entered correctly by the caller, the UM server will retrieve the PasswordSetTime from the user’s mailbox and calculate whether the PIN is expired. If the PIN is not expired, the user is granted access to the mailbox.
PIN Expiry Calculation
PIN expiration calculations are based on the Windows DateTime structure. The DateTime value type can be described as the number of 100 nanosecond intervals (or ticks) which have occurred since 00:00 January 1 0001 A.D. (Anno Domini) in the Gregorian calendar. A second contains 10,000,000 ticks, and there are 864,000,000,000 ticks in a given 24 hour period. With this in mind, there are three time values that are used by Unified Messaging when calculating PIN expiration during a Subscriber Access logon attempt.
If the PIN Lifetime option is enabled in the properties of the UM Mailbox Policy, you must specify the number of days that the PIN will be considered valid, with a valid range of 1 – 999 days. If the PIN Lifetime option is disabled in the properties of the UM Mailbox Policy, a default value of 36,500 days (100 x 365 days) is used to represent an unlimited expiration value. The PIN Lifetime option in the Exchange Management Console maps to Active Directory attribute msExchUMPinPolicyExpiryDays, where its value is stored in seconds. If your PIN Lifetime on your UM Mailbox Policy is configured with a value of 45 days, the corresponding msExchUMPinPolicyExpiryDays value in Active Directory will be set to 3,888,000 seconds.
When a PIN for a UM enabled user is either set or reset, the PasswordSetTime value in their mailbox is set to the current GMT time in binary. This value is stored in an XML blob within the IPM.Configuration.Um.Password message found in the Associated Contents table of the mailbox (MAPI property 0x7C070102).
At the time of the Subscriber Access logon attempt, the UM server will use the current GMT time in ticks as a base from which to calculate the expiry status of the PIN.
Upon retrieving these three values, the Exchange Unified Messaging server performs the following calculation to determine whether a PIN is expired:
PINExpiryStatus = SystemTimeUTC – (PasswordSetTime + msExchUMPinPolicyExpiryDays)
A negative PINExpiryStatus result value is indicative of a valid PIN.
A positive PINExpiryStatus result value is indicative of an expired PIN.
For example, let’s assume that a Unified Messaging server discovered the following tick values while attempting to authenticate a Subscriber Access caller:
PasswordSetTime – 633873957184350657 ( Tuesday, September 01, 2009 9:55:18 AM )
PIN Lifetime/msExchUMPinPolicyExpiryDays – 38880000000000 ( 45 Days )
SystemTimeUTC – 633876609141336861 ( Friday, September 04, 2009 11:35:14 AM )
-36228043013796 = 633876609141336861 – (633873957184350657 + 38880000000000)
With a negative tick result value, we at least know that the PIN is still valid. But for how much longer?
41.93 days = 36228043013796 (remaining ticks) / 864000000000 (ticks per day)
After presenting the results of this research and testing to my customer, we were able to conclude that PIN expiry calculations performed by Unified Messaging were occurring within specification. While we were unable to determine why the CEO was prompted to reset his PIN, I suspect that human error was likely involved.
As always, I hope this helps…
If you’d like to try calculating the PIN expiration value for a given mailbox, you can follow these steps. We will use a slightly less complicated method than the Unified Messaging server.
Step 1 – Get PIN Lifetime value from UM Mailbox Policy
Open the Exchange Management Console and locate UM Mailbox Policy associated with your user account. Open the properties of the UM Mailbox Policy, and select the PIN Policies tab. If the PIN Lifetime option is enabled, note the number of days as configured in the GUI. If the PIN Lifetime for your UM Mailbox Policy is disabled (i.e. unlimited), use a value of 36,500 days (100 x 365 days).
In my environment, my UM Mailbox Policy is configured with a PIN Lifetime value of 45 days.
Step 2 – Get PasswordSetTime from User’s Mailbox
You can find the PasswordSetTime for a given UM enabled user account by using the MFCMAPI utility (http://www.codeplex.com/MFCMAPI).
- Create a mail profile for the user’s mailbox.
- Launch MFCMAPI.
- Click Session, then choose Log On and Display Store Table.
- Select the profile for the user’s mailbox .
- Click MDB, then choose Open Default Message Store.
- If prompted, enter the logon credentials for the user account.
- Verify that the CreateStoreEntryID flags value is 0x00000000 and click OK.
- Highlight the Root Container from the Navigation column.
- From the Actions menu, choose Open Associated Contents Table.
- Check the PR_MESSAGE_CLASS (MAPI property 0x001A001E) from each listed message until you find the message containing the IPM.Configuration.Um.Password message class.
- From the details of the IPM.Configuration.Um.Password message, double-click on PR_ROAMING_DICTIONARY (MAPI property 0x7C070102)
- Within the XML data from MAPI tag 0x7C070102, locate the PasswordSetTime value (as highlighted in the screenshot below)
- Open the Exchange Management Shell and enter the following commands to convert the binary value from PasswordSetTime to Coordinated Universal Time (UTC), based on Greenwich Mean Time (GMT).
$PasswordSetTime = [DateTime]::FromBinary(5245559975611738561)
- The Exchange Management Shell will return the value Tuesday, September 01, 2009 9:55:18 AM and store it in the variable $PasswordSetTime.
Step 3 – Calculate the PIN Expiration
With all these two values in hand, you can now calculate the PIN expiration status for the UM enabled user account using the Exchange Management Shell.
The PIN for this UM enabled user will expire on Friday, October 16, 2009 9:55:18 AM (GMT).