I'm trying to use impersonation in my application to connect to user mailboxes and add/remove appointments. I created an account called "EWSAdmin" and ran the following EMS commands on them: New-ManagementScope -Name:"MyEWSImpersonation" -RecipientRestrictionFilter {memberofgroup -eq "cn=My User Container,DC=MyDomain,DC=local"} New-ManagementRoleAssignment -Name:"MyEWSImpersonation" -Role:ApplicationImpersonation -User:"EWSAdmin@MyDomain.local" -CustomRecipientWriteScope:"MyEWSImpersonation" Just to confuse the issue, I called my scope EWSImpersonation, too. When I try to connect to the user's mailbox to view an appointment (Using a third party DLL), I get the following error: Throwing GeneralException e=The account does not have permission to impersonate the requested user. If anybody could help me diagnose this, I'd appreciate it. Thanks Nick

We ran into this issue with a different cause, I want to share it here because when searching for the error message this post and a post on TechNet come up, but not the KB Articles that eventually helped us solve the issue. It turns out that there is a limit to the amount of requests any windows server can do to Active Directory, at some point the NetLogon service just runs out of Threads and all kinds of things start to happen. The process is explained in this blog post and this KB article and this KB article , the fix is pretty simple, increase the number of threads available through a simple change to a Registry key on every CAS server in the Exchange cluster. The process is simple: Start Registry Editor. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Create the following registry entry: Name: MaxConcurrentApi Type: REG_DWORD Value: Set the value to the larger number, which you tested (any number greater than the default value). At a command prompt, run net stop netlogon, and then run net start netlogon. Notes The maximum value that can be configured depends on the operating system version and whether a hotfix is available. The maximum configurable setting in Windows Server 2003 is 10. The maximum configurable setting in Windows Server 2008 (without the hotfix in this article) is 10. With the hotfix, the maximum is 150. The maximum configurable setting in Windows Server 2008 R2 (without the hotfix in this article) is 10. With the hotfix, the maximum is 150. If you decide to increase the MaxConcurrentApivalue to greater than 10, the load and the performance of the desired setting should be tested in a nonproduction environment before you implement in production. This is recommended to make sure that increasing this value does not cause other resource bottlenecks.

exchange-serverexchangewebservices

Nick

Reputation: 5892

Issue with Impersonation in Exchange Server 2010

I'm trying to use impersonation in my application to connect to user mailboxes and add/remove appointments.

I created an account called "EWSAdmin" and ran the following EMS commands on them:

New-ManagementScope -Name:"MyEWSImpersonation" -RecipientRestrictionFilter 
{memberofgroup -eq "cn=My User Container,DC=MyDomain,DC=local"}

New-ManagementRoleAssignment -Name:"MyEWSImpersonation" -Role:ApplicationImpersonation 
-User:"[email protected]" -CustomRecipientWriteScope:"MyEWSImpersonation"

Just to confuse the issue, I called my scope EWSImpersonation, too.

When I try to connect to the user's mailbox to view an appointment (Using a third party DLL), I get the following error:

Throwing GeneralException e=The account does not have permission to 
impersonate the requested user.

If anybody could help me diagnose this, I'd appreciate it.

Thanks

Nick

Upvotes: 1

Answers (3)

Tim

Reputation: 21

It would be nice to have an example for E2010 as it is not as easy as 2007.

Here is an example to creating EWS impersonation for a group. Any member of the group would be impersonated by the service account. Just add additional members to the group as requirements demand. Two steps...create the New Management scope and then the Role assignment.

New-ManagementScope “Scope Name” -RecipientRestrictionFilter {(MemberOfGroup -eq 'CN=group name,CN=Users,DC=Contoso,DC=com')}

New-ManagementRoleAssignment -Name “EWS ROLE NAME” -Role applicationimpersonation -User Domain\Service Account -CustomRecipientWriteScope “Scope Name”

Where “Scope Name” is the management scope created in step one.

Upvotes: 1

jessehouwing

Reputation: 115007

We ran into this issue with a different cause, I want to share it here because when searching for the error message this post and a post on TechNet come up, but not the KB Articles that eventually helped us solve the issue.

It turns out that there is a limit to the amount of requests any windows server can do to Active Directory, at some point the NetLogon service just runs out of Threads and all kinds of things start to happen. The process is explained in this blog post and this KB article and this KB article, the fix is pretty simple, increase the number of threads available through a simple change to a Registry key on every CAS server in the Exchange cluster.

The process is simple:

Start Registry Editor.
Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Create the following registry entry:

Name: MaxConcurrentApi

Type: REG_DWORD

Value: Set the value to the larger number, which you tested (any number greater than the default value).
At a command prompt, run net stop netlogon, and then run net start netlogon.

Notes

The maximum value that can be configured depends on the operating system version and whether a hotfix is available.
The maximum configurable setting in Windows Server 2003 is 10.
The maximum configurable setting in Windows Server 2008 (without the hotfix in this article) is 10. With the hotfix, the maximum is 150.
The maximum configurable setting in Windows Server 2008 R2 (without the hotfix in this article) is 10. With the hotfix, the maximum is 150.

If you decide to increase the MaxConcurrentApivalue to greater than 10, the load and the performance of the desired setting should be tested in a nonproduction environment before you implement in production. This is recommended to make sure that increasing this value does not cause other resource bottlenecks.

Upvotes: 2

grapkulec

Reputation: 1020

I know almost nothing about "admin" side of setting up impersonation for EWS but maybe you can take a look at this article and compare your actions with what this guy did to make it work

http://www.thesoftwaregorilla.com/2010/06/exchange-web-services-example-part-3-exchange-impersonation/

in my company admin setup impersonation according to msdn and it works for me so I presume it can't be so hard and probably you missed some steps or maybe that 3rd party dll needs some additional magic.

link to msdn article in case you didn't know it: http://msdn.microsoft.com/en-us/library/bb204095.aspx

Upvotes: 1

Issue with Impersonation in Exchange Server 2010

Answers (3)

Related Questions