none
EWS impersanation question? RRS feed

  • Question

  • Hello guys,

    We have a web application for making meeting reservations. We would like to integrate this application with exchange in order to place meeting reservations from both of them. I wonder EWS impersanation is a security bug? If it is, then is there a way to do this integration?

    Best Regards & Thanks in advance.

    Monday, June 6, 2016 7:02 PM

All replies

  • Oh well. If you let the password for your service account be known, it's a not so much security as privacy issue but a significant issue nonetheless. So, as is the case with any credentials that give more access than your average user, you need to be careful about

    • who knows that password
    • on which machines that password is stored and who else has access to them
    • who has the right to change code running under that account

    That said, for just appointment manipulation you can combine the new ways (EWS) with the old (calendar permissions/MAPI):

    • give your service account appropriate permissions on the user calendars ("Contributor" oder "Contributing Editor" might fit the bill; give it Owner for testing)
    • give it an Exchange mailbox as well and restrict it from doing stuff you wouldn't like it to do (like sending external mail)
    • and then just use its access to the users' calendars like you would from within Outlook:
    Dim _cal As New Microsoft.Exchange.WebServices.Data.FolderId(Microsoft.Exchange.WebServices.Data.WellKnownFolderName.Calendar, New Microsoft.Exchange.WebServices.Data.Mailbox(_otherUsersEmailAddress))


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Monday, June 6, 2016 8:02 PM
  • Hi Evgenij,

    Thanks for your reply. Password will be shared with the other meeting reservations application. Password will be stored in app server of this meeting reservations application. Can they access other employees inbox and capture sensitive information?

    Tuesday, June 7, 2016 4:57 AM
  • Hi, they can do anything the mailbox owner can. If you access a mailbox by impersonation, you *are* the mailbox owner at that time.

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Tuesday, June 7, 2016 5:19 AM
  • So is there an other way to make integration rather than using impersonation?
    Tuesday, June 7, 2016 5:22 AM
  • Sure, see the second half of my first reply.

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Tuesday, June 7, 2016 6:34 AM
  • Hi Evgenij,

    Is there a way to integrate without EWS? Security team does not allow us to use EWS.

    Best Regards.

    Tuesday, June 21, 2016 12:13 PM
  • Hi, they probably do not allow you to use *impersonation* since you can't really disallow EWS in Exchange without breaking almost everything. Without impersonation, you can connect to EWS as yourself and then utilize your access rights to access other mailboxes you have permissions on. So if you only are allowed to access the calendar, that's what you will be able to access. If even that is not an option (but why wouldn't it be?) you are probably down to using Outlook and automating it via a COM object...

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Tuesday, June 21, 2016 12:26 PM
  • hello Evgenij,

    How can I connect to EWS as myself then access to mailboxes? I can access only my mailbox. And would you please provide information about COM object? Any sample to implement via COM?

    Best Regards.

    Wednesday, June 22, 2016 5:59 AM
  • How can I connect to EWS as myself then access to mailboxes? I can access only my mailbox.

    If you can access another Mailbox via Outlook, you can do it via EWS as well. Take a close look at the line of code I posted in my very first reply to this thread.

    And would you please provide information about COM object? Any sample to implement via COM?

    https://msdn.microsoft.com/en-us/magazine/dn189202.aspx


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Wednesday, June 22, 2016 9:16 AM
  • Hi Evgenij,

    One last question :) Is there a way to integrate exchange to this web application in order to get meeting reservation info via Custom Transport Agent without impersonation? (minimum access)

    Best Regards

    Thursday, June 30, 2016 1:50 PM
  • Hi, I don't see how a custom transport agent would help here as it would only catch messages in transit so wouldn't be able to download calendar entries made by Outloook or ActiveSync. Maybe I am misunderstanding what you are aiming at.

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Friday, July 1, 2016 6:07 AM