[E2010][EWSMA] Impersonation Configuration RRS feed

  • Question

  • Hi

    Exchange 2010 SP2
    EWS API 2.0

    I'm looking for specific advice regarding configuring of impersonation accounts and security groups.


    We have a single Exchange 2010 production environment with 2 CAS servers in different domains. I have 3 environments development, QA and production that have WCF and Windows service that access Exchange and act as an interface to Exchange to a back-end application also running in each environment. All environment services are running and accessing Exchange.

    Current Impersonation Setup

    A single impersonation account used in the services to impersonate in development, QA and production environments.

    Three security groups that contain users to impersonate specific to each environment.

    Three ManagementScope and ManagementRoleAssignment configured in Exchange, one for each environment/security group, all assigned to the single impersonation user account. Both QA and production services are running and accessing Exchange


    Is this a recommended configuration in this scenario?

    3 environments, 3 security groups, 3 impersonation roles/scope to 1 impersonation user in 1 Exchange environment?


    We seeing intermittent exceptions being raised by EWS 'access denied' on updating tasks and appointments for valid impersonation user accounts in the production services.

    If anyone has any advice about this being a valid configuration, it would be very much appreciated.

    Kind regards,


    Tuesday, April 8, 2014 10:53 AM