locked
Impersonisation between both Exchange 2007 and 2010 using the EWS managed API RRS feed

  • Question

  • My question is : "is it possible for a mailbox sitting on Exchange 2010 to impersonate a user on Exchange 2007 and, if so, how?"

    Some background to what I've tried.

    My company is staggering moving everyone from Exchange 2007 to Exchange 2010 and I have a few services which run and insert appointments in people's calendars, e.g. reminders, leave details.  So I will have to be able to impersonate mailboxes on both servers.

    I've run the new role based powershell script below on the 2010 server and successfully got impersonisation to work between Exchange 2010 mail accounts.

    New-ManagementRoleAssignment -Name:impersonateForEWS -Role:ApplicationImpersonation  -User:'DOMAIN\Mail2010-1'

    However, the mail accounts moved to 2010 no longer seem to be able to impersonate accounts still on 2007 even though the user still has "Full Access Permission" on the 2007 mailboxes.

    For exampe, say I have three users, two mailboxes are on Exchange 2010 (Mail.2010-1 and Mail.2010-2) and one mailbox is on Exchange 2007 (Mail.2007).

    If I create an exchangeservice object as Mail.2010-1, I can successfully impersonate Mail.2010-2 and enumerate through their inbox items.  However, if I try to impersonate Mail.2007, I get the following error when trying to get their inbox items (connecting works fine):

    The server to which the application is connected cannot impersonate the requested user due to insufficient permission.

    Note: I have logic within my code to switch the exchangeservice version based on the Impersonated user's exchange version.

    private Boolean connectToExchange(ref ExchangeService exchService, string strConnectAs) {
     bool bSuccessfulConnect = exchangeConnection(ref exchService, strConnectAs, ExchangeVersion.Exchange2010);
     if (exchService != null && bSuccessfulConnect == true)	{
      // check correct service used
      if (exchService.Url.Host.ToLower() == "exch2007" && exchService.RequestedServerVersion.ToString() == "Exchange2010")
      {
        bSuccessfulConnect = exchangeConnection(ref exchService, strConnectAs, ExchangeVersion.Exchange2007_SP1);
      }
     }
     return bSuccessfulConnect;
    }

    And my exchange connection code is:

    // NOTE: currently logged onto computer as mail.2010-1
    ExchangeService exchService = null;
    if (connectToExchange(ref exchService, "mail.2007@domain.com") == true)
    {
     ItemView view = new ItemView(10);
     view.OrderBy.Add(ItemSchema.DateTimeReceived, SortDirection.Descending);
     view.Traversal = ItemTraversal.Shallow;
     try
     {
      FindItemsResults<Item> findResults = exchService.FindItems(WellKnownFolderName.Inbox, view);
      sbFeedback.Append("_____________________________________" + Environment.NewLine +	"---- MESSAGES ----" + Environment.NewLine);
      foreach (Item oEmail in findResults.Items)
      {
      if (oEmail is EmailMessage)
       {
        sbFeedback.Append((oEmail as EmailMessage).Subject + Environment.NewLine);
       }
      }
     }
     catch (Exception ex)
     {
      sbFeedback.Append("ERROR :  " + ex.Message + Environment.NewLine);
     }
    }
    private Boolean exchangeConnection(ref ExchangeService exchService, string strConnectAs, Microsoft.Exchange.WebServices.Data.ExchangeVersion oExchangeVersion)
    {
     bool bSuccessfulConnect = false;
     try	{
    	// connect to the exchange web services and login
    	System.Net.ServicePointManager.ServerCertificateValidationCallback =
    	delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors)
    	{ return true; };  // http://msdn.microsoft.com/en-us/library/bb408523.aspx
    	exchService = new ExchangeService(oExchangeVersion);
    	exchService.UseDefaultCredentials = true;
    	exchService.AutodiscoverUrl(strConnectAs);
    	exchService.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, strConnectAs);
    	bSuccessfulConnect = true;
     }
     catch (AutodiscoverLocalException ex)
     {
      sbFeedback.Append("Error autodiscovering url : " + ex.Message + Environment.NewLine);
     }
     catch (Exception ex)
     {
      sbFeedback.Append("Error connecting to Exchange Web Service: " + ex.Message + Environment.NewLine);
     }
    
     return bSuccessfulConnect;
    }
    

    Thanks for your help :)

    Thursday, May 13, 2010 2:09 AM

Answers

  • Well, not really a solution but I've managed to work with both Exchange versions by doing the following.

    Creating three exchanges services, one for 2007 and the other for 2010 and then a "holder" ExchangeService variable which swops between the previous two based on the Impersonated user's exchange version (determined by the URL).

    I then login as a 2007 user with permissions for both Exchange servers - a 2010 user didn't seem to work backwards to 2007.

    It's a bit messy but we should hopefully only be using both versions for a week or so.  Example code below:

    exchangeConnection(ref exch2007, "mail2007", ExchangeVersion.Exchange2007_SP1);
    exchangeConnection(ref exch2010, "mail2010-1", ExchangeVersion.Exchange2010);
    bool bSuccessfulConnect = exchangeConnection(ref exchService, strConnectAs, ExchangeVersion.Exchange2007_SP1);
    
    exchService.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress,	strEmail);
    if (exchService.Url.Host.ToLower() == "exchange2010")
    {
     exchService = exch2010;
    }
    else
    {
     exchService = exch2007;
    }
    exchService.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress,	strEmail);
    
    • Marked as answer by OzCatt Friday, May 14, 2010 12:44 AM
    Friday, May 14, 2010 12:44 AM