WebService Impersonisation problem
I am trying to get calendar items for different users using Exchnage 2007B2 Web Services, and I am getting an error
"The server to which the application is connected cannot impersonate the requested user due to insufficient permission."
What could be a problem or is there some other way to get other users' calendar info? My soap request is below
-----------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<ns1:ExchangeImpersonation xmlns:ns1="http://schemas.microsoft.com/exchange/services/2006/types">
<ns1:ConnectingSID> <ns1:PrimarySmtpAddress>jsmith@Reporting</ns1:PrimarySmtpAddress>
</ns1:ConnectingSID>
</ns1:ExchangeImpersonation>
</soapenv:Header>
<soapenv:Body>
<FindItem Traversal="Shallow" xmlns="http://schemas.microsoft.com/exchange/services/2006/messages">
<ItemShape>
<ns2:BaseShape xmlns:ns2="http://schemas.microsoft.com/exchange/services/2006/types">AllProperties</ns2:BaseShape>
</ItemShape>
<ParentFolderIds>
<ns3:DistinguishedFolderId ChangeKey="calendar" Id="calendar" xmlns:ns3="http://schemas.microsoft.com/exchange/services/2006/types"/>
</ParentFolderIds>
</FindItem>
</soapenv:Body>
</soapenv:Envelope>
All Replies
Ah yes, Exchange Impersonation...
The calling account must be granted the ms-Exch-EPI-Impersonation right on the CAS box itself. That gives the caller the rights to impersonate *through* the CAS box. Then you will hit another road block. You will need to given the caller the ms-Exch-EPI-MayImpersonate right on either the mailbox database (to give access to all mailboxes in the database) or on the individual user/contact objects in the directory.
To do this? You can do this through AD Users/Computers (for May-Impersonate) and AD Sites and Services (for Impersonation). You can also do this via Powershell with the Add-ADPermission cmdlet.
There should be a public doc somewhere out there related to setting this all up. I don't have the link handy. I will try to dig it up.
Hi David,
I'm new to both Active Directory and Exchange Server 2007. I couldnt figure out how to set permission through AD Users/Computers and AD Sites and Services. I'm also trying to get impersonation to work and did run Add-ADPermission with proper parameters.
Would appreciate it much if you could explain us how to do this and/or if you could send the public doc that you mentioned.
Thanks
Duke
In AD Users and Computers, make sure you have the Advanced Features turned on. You can do this through the View | Advanced Features menu option. This will allow the Security tab to show up on the property pages. Then simply drill down to get the the user that you want to be impersonated, right click and choose properties and then go to the security tab. Click the Add button and choose the account you want to allow to make the ExchangeImpersonation call and give them the may impersonate right.
In AD Sites and Services, make sure that you turn on the "services" node
1. Turn the services node on the Advanced Features turned on. You can do this through View | Show Services Node. Then drill down to your server. My path was Services | Microsoft Exchange | First Organization | Administrative Groups | Exchange Administrative Group | Servers | MyServer
Of course, your server and org names will likely be different.
Regarding the Add-ADPermission, make sure you add the Impersonate right (ms-Exch-EPI-Impersonation) as wel May-Impersonate right (ms-Exch-EPI-MayImpersonate). The first you are stamping on the Server object and the second you are stamping on either the mailbox database or the actual User object that you want to allow to be impersonated. In both cases you are giving the right to the caller.
Try this link:
Hi David,
Thank you very much for the reply. That worked like a charm. I now can impersonate a user and login to his email account using a login info. other than his.
I'm wondering whether there's a way to have a single user account that can impersonate 'all' the other accounts, without setting impersonation in each and every user's account. This helps a lot in maintaining the system especially when new user accounts are created and old ones are deleted.
Thanks again for your prompt and detailed response.
Duke
You can assign the rights on a mailbox-database basis rather than on individual users. From AD Sites and Services, drill down a little further from the server:
Services | Microsoft Exchange | Administrative Groups | Exchange Administrative Group (XYZ) | Servers | MyCASServer | InformationStore | First Storage Group
There should be a mailbox database object (msExchPrivateMDB) in that group. Right click on it and go to properties | Security and assign the may impersonate right to your caller. Then the caller should be able to impersonate any mailbox in that database. Note that the ACL on the individual user takes precendence over the setting on the MDB, so you can allow on the database but then deny on certain mailboxes in that database if you need to.
But, no, there is currently no "system wide" setting in ExchangeImpersonation.
Hi David,
Thank you again for your well written reply. I managed to enable a single user account to impersonate all users and thereby get into all users' email accounts by giving impersonation rights to a user to access mailbox database.
Once again I really appreciate your response, and will certainly get in touch with you if I have a problem with Exchange 2007 integration.
Thanks
Duke
Hi David,
Could you please help me in configuring the permissions to user & server for impersenation.
I am trying to see in security tab, where to find the following mentioned policies:
- ms-Exch-EPI-Impersonation
- ms-Exch-EPI-May-Impersonate
Hari
- ms-Exch-EPI-Impersonation
- I would suggest using the Add-ADPermission cmdlet in powershell instead of going throuthg the UI tools.
- I tried with PowerShell - but it fires me error saying Add is not a known command, still I am trying with UI, but not able to do. Could you please look into.
Make sure there are no spaces in "Add-AdPermission". See
http://msdn2.microsoft.com/en-us/library/bb204095.aspx
http://technet.microsoft.com/en-us/library/bb124403(EXCHG.80).aspx
Hi David,
I still get the error, following is the command and results I am going with:
Add-ADPermission -Identity "Hari" -User "harija" -extendedRight ms-Exch-EPI-May-Impersonate
The term 'Add-ADPermission' is not recognized as a cmdlet, function, operable program, or script file. Verify the term
and try again.Your inputs will be very helpful.
Thanks
- Are you running this from the Exchange Management Shell?
- I am running this on Power Shell Window on Exchange 2007 VHD.
I could able to set the seetings as follows:
Impersonation in Exchange Server
Setting the Service Account Can Impersonate
1. Got AD Sites n Services
2. Select Show Services Node from view
3. Select Services -> MS Exchange -> First Organization -> Administrative Groups -> Exchange Administrative Groups -> Servers -> <xxxx Server Name xxxx>
4. Select Properties -> Security
5. Add Service User Account
6. Check Permission “Exchange Web Services Impersonation”.
Setting the all Mail boxes in a DB can be impersonated by Service Account
1. Got AD Sites n Services
2. Select Show Services Node from view
3. Select Services -> MS Exchange -> First Organization -> Administrative Groups -> Exchange Administrative Groups -> Servers -> <xxxx Server Name xxxx> -> Information Store -> First Storage Group -> Mailbox Database
4. Select Properties -> Security
5. Add Service User Account
6. Check Permission “Allow Impersonation to Personal Exchange Information”.
- I just wanted to let you all know that this ALMOST worked out for me. I got to Active Directory Sites and Services, but the tab 'Security' didn't show up after selecting Server properties. Then I used ADSI Edit and followed the same path.. that did work!
- Per the security tab - IIRC, you need to check the "Show Advanced Options" or something like under Tools?? on the main menu. Then when you bring up the property page for the object in question, the security tab will be present.
David Sterling | Microsoft Exchange Web Services | http://www.microsoft.com/MSPress/books/10724.aspx - I cant see it david using Active Directoryu Sites and Services...
- Hi Prasad,
I cannot locate the Security Tab also the ExAdmin in registry is not present.... - This thread has been going for a while I see. I am also finding it odd that Add-Adpermission comes up with the error above "Add-ADPermissions is not recognized as a cmdlet" anyone ever find a fix for this?
