none
error: “The account does not have permission to impersonate the requested user” even though i have impersonation access given to service account RRS feed

  • Question

  • I have Windows Service which listen On-Premise Exchange Mail boxes using EWS with Impersonation Access.

    I have one Admin User (Service Account) which has Impersonation Access and I have configured the same user for my Windows Service Logon.

    I am using NTLM Authentication in C#.Net to login and Impersonate the mail box. When I start my windows service and try to impersonate the mail box I am getting following error even though I have Impersonation Access to my service account.

    Error While initial sync for mailbox SCHEDTEST91@SCHED2010.COM. Exception: Microsoft.Exchange.WebServices.Data.ServiceResponseException: The account does not have permission to impersonate the requested user.
       at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ProcessWebException(WebException webException)
       at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
       at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
       at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
       at SXA.ES.EWSNotificationListenerService.NotificationListener.NotificationSynchronizerBase.GetCurrentSyncState(String smtpAddress, String autodiscoverUrl)”

    Surprise part is, this issue is happening with specific Virtual Machines, where my Windows Service is hosted.

    I have total 4 Virtual Machines and out of 4 VMs, Windows Service is working fine and able to Impersonate the mail box on 2 VMs, but with same configuration and same setup other 2 are having above mentioned error.

    I tried searching over the google a lot for this issue and could not find any post.

    I am seeking help here to address this issue. Please let me know if anyone come across the same issue while working with EWS Service with C#.Net, and have solution for this.

    Note: If I use Basic Authentication here then it is working fine on these 2 VMs as well, this issue is happening with NTLM Windows Authentication only.

    Tuesday, September 11, 2018 7:23 PM

Answers

  • I have further investigated and found the root cause of this issue, see the details below and how to fix the same.
    1. Actually I have installed Outlook and configured email account (user email account who does not have Impersonation Access) on the VM where i was facing issue, Upon restart of Outlook right after email account configuration, it prompt dialog for credentials, there I have entered user name and Password and along with that I have Checked “Remember my credentials” Check Box as well and Click Ok.
    2. Now if you go to Control Panel\User Accounts\Credential Manager, You will see two entries in Windows Credentials section, one for Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) with user name same as the one you have configured in your Outlook and another separate entry for the same user name as Windows Identity.
    3. When I removed Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) entry from Control Panel\User Accounts\Credential Manager, this issue got resolved.
    4. As per my understanding ABCEXCHANGESERVER.DOMAIN.COM is exchange server domain/network address in our case and is used by EWS and Outlook both when accessing mail boxes.
    So when we are configuring mail box in Outlook and on credentials dialog if we check “Remember my credentials” Check Box, it cached credentials for Exchange call to ABCEXCHANGESERVER.DOMAIN.COM as well as for mail box profile in Credential Manager.
    Now when our service try to call ABCEXCHANGESERVER.DOMAIN.COM using NTLM it first check Credentials Cache for ABCEXCHANGESERVER.DOMAIN.COM network/domain address and if any entry found there, it always use cached credentials instead of our service logon credentials.
    5. If anyone facing the same issue, just clearing the Exchange Server network address entry from Control Panel\User Accounts\Credential Manager, and this issue will get resolved. My suggestion is, avoid configuring Outlook on VM.

    How this will help.

    • Marked as answer by a_p_0819 Friday, October 5, 2018 7:35 PM
    • Edited by a_p_0819 Friday, October 5, 2018 7:36 PM
    • Unmarked as answer by a_p_0819 Friday, October 5, 2018 7:36 PM
    • Marked as answer by a_p_0819 Friday, October 5, 2018 7:36 PM
    Friday, October 5, 2018 7:35 PM

All replies

  • Hi  Arpan_Patel,

    Are your four VM have same configuration?

    If yes, here is the solution listed below, and you must be done by using NTLM in the following points:

    1. You need to associate your email account with a domain account.
    2. Users are logged into a domain that uses NTLM authentication.
    3. The service application must have a domain account that fully leverages NTLM authentication.

    You can use basic Authentication , This means you already turn off NTLM authentication for all users to use basic authentication.

    Reference from:

    https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and-ews-in-exchange


    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread.

    Wednesday, September 12, 2018 3:27 AM
  • Does the issue persist

    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread.

    Friday, September 14, 2018 1:20 AM
  • Yes the issue is still persist.

    1. Yes my email account is associated with domain account

    2. Yes i have configured my service account on Windows Service Login properties which has Impersonation Access

    3. Yes my service application have domain account that fully leverages NTLM authentication.

    As i mentioned this is VM specific issue, i have other VM where it is completely working fine with same configuration with same service account.

    Further i have reviewed EWS logs on Exchange Server and i found one difference which is:

    When request send to Exchange Server from not working VM, it showing Alias Name (SCHED2010\SchedTest11) in AuthenticatedUser field in EWS Logs even though i am setting SMTP address from C# Code but when Request sent from working VM it is showing smtp address in AuthenticatedUser field, i suspect that since it is sending Alias name of Email address, this issue is happening, i am trying to figure out why this difference is but till now did not get anything.

    Not working log : 2018-09-13T19:09:59.044Z,Negotiate,True,SCHED2010\SchedTest11,,Mailbox Group: https://azuesexc2010exc.sched2010.com/EWS/Exchange.asmxOnPremise (ExchangeServicesClient/15.00.0847.030),10.202.14.105,AZUESEXC2010EXC,,500,,,b94703f6298f49ec9ffb346cfde2436a,,,,,,,,,,,,,,,,,,,,,,,,,,,,31,,,

    Working Log : 2018-09-13T19:32:32.443Z,Negotiate,True,SchedTest11@sched2010.com,,NotificationSynchronizerBase (ExchangeServicesClient/15.00.0913.015),10.202.14.13,AZUESEXC2010EXC,SyncFolderItems,200,,SchedTest11@sched2010.com,cc1fdb73c22e4a38bf9704b50f975aa3,0,1,0,0,30000/30000/0%,30000/30000/0%,54000/53955/1%,54000/53955/1%,36000/36000/0%,36000/36000/0%,1000/0,1000/0,5000/2,5000/2,,,,Mailbox Database 0630856309,-1%,0,DefaultThrottlingPolicy_c733d828-fae1-470a-b1da-ff1d82557dec,00:00:00,[C],0,0,2,0,78,X-ClientStatistics=MessageId=;ResponseTime=171;SoapAction=GetStreamingEvents;;,,


    • Edited by a_p_0819 Friday, September 14, 2018 5:00 PM highlighted few details
    Friday, September 14, 2018 3:01 PM
  • Have you set the default recipient?

    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread.


    Tuesday, September 18, 2018 1:18 AM
  • No, there is no default recipient. The Windows Service which we have implemented is not sending email/meeting invite to mail box but it listen mailbox for all the calendar events via Stream notifications.
    Thursday, September 20, 2018 1:58 PM
  • I have further investigated and found the root cause of this issue, see the details below and how to fix the same.
    1. Actually I have installed Outlook and configured email account (user email account who does not have Impersonation Access) on the VM where i was facing issue, Upon restart of Outlook right after email account configuration, it prompt dialog for credentials, there I have entered user name and Password and along with that I have Checked “Remember my credentials” Check Box as well and Click Ok.
    2. Now if you go to Control Panel\User Accounts\Credential Manager, You will see two entries in Windows Credentials section, one for Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) with user name same as the one you have configured in your Outlook and another separate entry for the same user name as Windows Identity.
    3. When I removed Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) entry from Control Panel\User Accounts\Credential Manager, this issue got resolved.
    4. As per my understanding ABCEXCHANGESERVER.DOMAIN.COM is exchange server domain/network address in our case and is used by EWS and Outlook both when accessing mail boxes.
    So when we are configuring mail box in Outlook and on credentials dialog if we check “Remember my credentials” Check Box, it cached credentials for Exchange call to ABCEXCHANGESERVER.DOMAIN.COM as well as for mail box profile in Credential Manager.
    Now when our service try to call ABCEXCHANGESERVER.DOMAIN.COM using NTLM it first check Credentials Cache for ABCEXCHANGESERVER.DOMAIN.COM network/domain address and if any entry found there, it always use cached credentials instead of our service logon credentials.
    5. If anyone facing the same issue, just clearing the Exchange Server network address entry from Control Panel\User Accounts\Credential Manager, and this issue will get resolved. My suggestion is, avoid configuring Outlook on VM.

    How this will help.

    • Marked as answer by a_p_0819 Friday, October 5, 2018 7:35 PM
    • Edited by a_p_0819 Friday, October 5, 2018 7:36 PM
    • Unmarked as answer by a_p_0819 Friday, October 5, 2018 7:36 PM
    • Marked as answer by a_p_0819 Friday, October 5, 2018 7:36 PM
    Friday, October 5, 2018 7:35 PM