The server to which the application is connected cannot impersonate the requested user due to insufficient permission. RRS feed

  • Question

  • We have developed an application which accesses the mails from the user account by impersonating the user.

    For impersonation, we have executed following two commands in the Exchange Power Shell:

    Add-ADPermission -Identity (Get-ExchangeServer -Identity exchangeservername).DistinguishedName -User (Get-User -Identity "proxyaccount").Identity -extendedRight ms-Exch-EPI-Impersonation

    Add-ADPermission -Identity (Get-User -Identity "useraccount").DistinguishedName -User (Get-User -Identity "proxyaccount").Identity -extendedRight ms-Exch-EPI-May-Impersonate

    We tried running these commands in three environments with different Exchange Server instances and then running app. The app executed correctly in all three environment. However in production the application failed with following exception, even though we run exactly the same commands at the Exchange side  :'( :p .

    Microsoft.Exchange.WebServices.Data.ServiceResponseException : The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
       at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ProcessWebException(WebException webException)
       at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
       at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
       at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
       at Microsoft.Exchange.WebServices.Data.ExchangeService.SubscribeToPushNotifications(IEnumerable`1 folderIds, Uri url, Int32 frequency, String watermark, EventType[] eventTypes)
       at com.cos.app.method() in c:\app\code.cs:line 104

    The environment is runs Exchange Server 2007 and Windows Server 2008.

    What could be the problem?

    Tuesday, July 1, 2014 4:12 PM

All replies

  • Hi Mahesha,

    Hope you are meeting the Prerequisites on Production as well

    The following prerequisites are required to configure Exchange Impersonation:

    •           Administrative credentials for the computer that is running Exchange 2007 that has the Client Access server role installed
    •           Domain Administrator credentials

    The local computer account for the Client Access server must be a member of the Windows Authorization Access Group for Exchange Impersonation to work.


    How many exchange server does your Test environtment has, my guess only one. And ofcouse multiple in Production.

    The problem could be below cmdlet returning multiple values and permissions are not set correctly on all the required servers.

    (Get-ExchangeServer -Identityexchangeservername).DistinguishedName

    Try the below cmdlets:

    This adds the permission to all CAS servers:

    foreach ($exchangeServer in Get-ExchangeServer)
         if ($exchangeServer.ServerRole -match 'ClientAccess')
              Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'domain\proxyaccount' -ExtendedRights ms-Exch-EPI-Impersonation

    or you can use below commands to add permission to individual CAS servers.

    dsquery computer -name "CAS0*"

    Use the output for each CAS server DN one at a time to run the below command, replacing the DN_of_ClientAccessServer.

    Also put the user as domain\proxyaccount, [(Get-User -Identity "proxyaccount").Identity is "proxyaccount" only right.]

    Add-ADPermissions -Identity 'DN_of_ClientAccessServer' -User 'domain\username'  -ExtendedRights ms-Exch-EPI-Impersonation


    Try giving full mailbox access on the user mailbox and see if it works as a alternate method to access emails without impersonation.

    Add-MailboxPermission -Identity "useraccount" -User proxyaccount -AccessRights FullAccess -InheritanceType all

    Run below on both Test and production to find any difference in access levels:

    Get-MailboxPermission -Identity useraccount -User proxyaccount

    Get-ADPermission -Identity useraccount -User proxyaccount

    Also look if user's permissions are explicitly set to Deny somewhere, remove those if exists for the proxyaccount or its groups.

    Just asking nothing to do with this issue, are you Adding permission using the app and not removing it later once done?



    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, September 22, 2014 10:05 AM