none
[E2007] [EWS] [PHP]: How to configure impersonation (I have searched and tried other answers) RRS feed

  • Question

  • Exchange Version: 2007 SP1 Version 08.03.0083.000
    API Name: Exchange Web Services (EWS) - General
    API Version: 2007 SP1
    Targeted features: Use Impersonation on Exchange Server 2007 SP1, which also is the domain controller Win 2003 SP2
    Scenario description:

    Development Server, Single Server: Domain Controller, IIS and Exchange CAS Server all on one box, no other domain associations or memberships.  All user accounts are local.

    I am familiar with this page: http://msdn.microsoft.com/en-us/library/bb204095.aspx but it deals with Exchange 2010 and the New-ManagementRoleAssignment cmdlet is not available in 2007 SP1.

    Then I found this page: http://msdn.microsoft.com/en-us/library/bb204095%28v=EXCHG.80%29.aspx

    Well there is something missing because my call does not work with impersonation.  The same call works using the username and password of the account I am working with, but not when I do impersonation.

    Here are the steps I followed, please tell me where I went wrong:
    In AD Users and Computers, I right clicked on Users -> New -> User.  Created user with first name:Impersonation and last name:User, logon name 'Impersonation_User'
    Opened the Exchange Management Console and issued the following two commands:

    Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User-Identity "Impersonation User" | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
    Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User "Impersonation User" -ExtendedRights ms-Exch-EPI-May-Impersonate}

    Rebooted the Exchange Server

    Impersonation does not work.

    Out of desperation I issued this command at the Exchange Management Console:
    Add-ADPermission -Identity "UserName I want to impersonate" -User "Impersonation User" -extendedRight ms-Exch-EPI-May-Impersonate

    Impersonation does not work.

    Then I added the local server computer account to the group "Windows Authorization Access Group"

    Impersonation does not work.

    How do I know Impersonation does not work?  I always get back a SOAP Fault from my request that simply says, "An internal server error occurred".

    I have even verified through AD Sites and Services that the "Impersonation User" account has impersonation right on the CAS server by doing the following:
    a. Start AD Sites and Services
    b. Click on the root node of the tree on the left hand pane and then choose View | Show Services Node (make sure it is checked).
    c. Expand the Services node as follows:
      Services/Microsoft Exchange/First Organization/Administrative Groups/Exchange Administrative Group/Servers/
    d. Choose the CAS server (it is a child of "Servers")
    e. Right click on the CAS server and choose Properties and go to the Security tab on the property page.
    f. Scroll through the list of users in the list box at the top and find the "Impersonation User" account.  It is there.
    g. Select the "Impersonation User" account in the upper list box, then scroll down the list of privileges until you get to "Exchange Web Services Impersonation".  It is checked.

    Finally I verified the user "Impersonation User" has the ms-Exch-EPI-May-Impersonate right on the Mailbox by doing this:
    a. Start AD Sites and Services
    b. Click on the root node of the tree on the left hand pane and then choose View | Show Services Node (make sure it is checked).
    c. Expand the Services node as follows:
      Services/Microsoft Exchange/First Organization/Administrative Groups/Exchange Administrative Group/Servers/ServerName/InformationStore/First Storage Group/Mailbox Database
    d. Right click on the Mailbox Database and choose Properties and go to the Security tab on the property page.
    f. Scroll through the list of users in the list box at the top and find the "Impersonation User" account.  It is there.
    g. Select the "Impersonation User" account in the upper list box, then scroll down the list of privileges until you get to "Allow Impersonation to Exchange Personal information".  It is checked.

    I suspect I did something incorrectly, or there is an implied action that I missed.
    Is there a server log I can view to shed light on the problem? Ideas?  Help?

    Thanks.

    Tuesday, August 23, 2011 10:40 PM

Answers

  • Finally discovered the issue.  Based on the error response I went back to investigate what xml is being generated.  I noticed the soap header for ExchangeImpersonation looked unusual.  When creating the Soap Header for ExchangeImpersonation, in PHP you supply the namespace in the SoapHeader() call.  The namespace I was specifying was incorrect.  The correct namespace is http://schemas.microsoft.com/exchange/services/2006/types

    So the actual header generating line looks like this:

    $headers[] = new SoapHeader("http://schemas.microsoft.com/exchange/services/2006/types", "ExchangeImpersonation", $impheader, false);

    When I changed the namespace parameter everything started working using Impersonation.

    Just wanted to post back to help others.

    • Marked as answer by KB Go Pokes Friday, August 26, 2011 3:26 PM
    Friday, August 26, 2011 3:25 PM