none
Exchange Web Server Authentication Problem - Share Point 2013 Web Part

    Question

  • Dears,

    Please find the code snippet as below which i used to connect to exchange server to read emails.

    ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP2);

    ServicePointManager.ServerCertificateValidationCallback = Cert.CertificateValidationCallBack;

    service.Credentials = new NetworkCredential("user", "password", "domain");

    service.Url = new Uri(serverUrl);

    I was trying to connect to the same service based on the currently logged in User via SharePoint webpart.

    In MSDN (http://msdn.microsoft.com/en-us/library/exchange/ff597939%28v=exchg.80%29.aspx)

    It was mentioned like below.

    // Connect by using the default credentials of the authenticated user.

    service.UseDefaultCredentials = true;

    Eventhough i used the above code entry i was unable to connect to the web service hence was getting the below error :

    The request failed. The remote server returned an error: (401) Unauthorized.

    how can solve the above mentioned problem?

    thanks in advance,

    Ammar

    Wednesday, July 10, 2013 11:27 AM

Answers

  • Dears Finally,

    I was able to call my service without any problem after creating an account with Exchange Impersonation.

    Refer the following links:

    thanks,

    Ammar

    • Marked as answer by AmmarBIZ Thursday, July 11, 2013 10:58 AM
    Thursday, July 11, 2013 10:57 AM
  • Could you please let me know:

    do you want the sharepoint user to access his own mailbox with the DefaultCredential(that is, the current SharePoint web part user as i understand), or you want the sharepoint user to access other user's mailbox?

    I learned from http://blogs.msdn.com/b/exchangedev/archive/2009/06/15/exchange-impersonation-vs-delegate-access.aspx that: Exchange Impersonation is different than Windows Impersonation. Windows Impersonation is an operating system concept that requires you to set Kerberos constrained delegation. Exchange Impersonation is a simpler authorization mechanism that is designed for use only within Exchange Web Services (EWS).

    So, Exchange Impersonation is AUTHORIZATION mechanism that is useful when AUTHENTICATION mechanism such as kerberos delegation is not configured. I would recommend the combination of Windows Impersonation and Exchange delegation if someone would like to visit other users mailbox.

     Put it in another way, Exchange Impersonation is just workaround instead of a solution as i understand.



    Friday, July 12, 2013 3:12 AM
    Moderator

All replies

  • If you want authenticate EWS with SharePoint user, you need to set up kerberos delegation (you may avoid this if SharePoint and Exchange are installed on the same Windows instance).

    http://blogs.msdn.com/b/emeamsgdev/archive/2012/11/05/exchange-web-services-from-a-web-application-using-windows-authentication.aspx

    http://blogs.msdn.com/b/emeamsgdev/archive/2012/07/26/exchange-web-services-and-sharepoint-without-applicationimpersonation.aspx

    http://blogs.technet.com/b/get-exchangehelp/archive/2013/01/31/configuring-kerberos-authentication-in-exchange-2010.aspx

    I just checked my test Exchange 2013 server, the web application pool identity in IIS manager is LocalSystem, in Active Directory Users and Computers, i checked the computer account for the Exchange server, the serverPrincipalName attribute value for which contains SPN started with exchangeAB, ExchangeMDB and so on, however, i did not find SPN started with HTTP. If it's similiar in your environment, you may need to add SPN for HTTP.

    Thursday, July 11, 2013 5:43 AM
    Moderator
  • Thank you very much for your reply.

    As i read in on of the thread in stackoveflow they have mentioned to go ahead either using Exchange Impersonation or Delegate Access. I am in middle of doing the test on the Exchange Impersonation.I will get back to you once its done. :)

    thanks,

    Ammar


    • Edited by AmmarBIZ Thursday, July 11, 2013 7:55 AM ;)
    Thursday, July 11, 2013 7:54 AM
  • Dears Finally,

    I was able to call my service without any problem after creating an account with Exchange Impersonation.

    Refer the following links:

    thanks,

    Ammar

    • Marked as answer by AmmarBIZ Thursday, July 11, 2013 10:58 AM
    Thursday, July 11, 2013 10:57 AM
  • Could you please let me know:

    do you want the sharepoint user to access his own mailbox with the DefaultCredential(that is, the current SharePoint web part user as i understand), or you want the sharepoint user to access other user's mailbox?

    I learned from http://blogs.msdn.com/b/exchangedev/archive/2009/06/15/exchange-impersonation-vs-delegate-access.aspx that: Exchange Impersonation is different than Windows Impersonation. Windows Impersonation is an operating system concept that requires you to set Kerberos constrained delegation. Exchange Impersonation is a simpler authorization mechanism that is designed for use only within Exchange Web Services (EWS).

    So, Exchange Impersonation is AUTHORIZATION mechanism that is useful when AUTHENTICATION mechanism such as kerberos delegation is not configured. I would recommend the combination of Windows Impersonation and Exchange delegation if someone would like to visit other users mailbox.

     Put it in another way, Exchange Impersonation is just workaround instead of a solution as i understand.



    Friday, July 12, 2013 3:12 AM
    Moderator
  • Could you please let me know:

    do you want the sharepoint user to access his own mailbox with the DefaultCredential(that is, the current SharePoint web part user as i understand), or you want the sharepoint user to access other user's mailbox?

    I learned from http://blogs.msdn.com/b/exchangedev/archive/2009/06/15/exchange-impersonation-vs-delegate-access.aspx that: Exchange Impersonation is different than Windows Impersonation. Windows Impersonation is an operating system concept that requires you to set Kerberos constrained delegation. Exchange Impersonation is a simpler authorization mechanism that is designed for use only within Exchange Web Services (EWS).

    So, Exchange Impersonation is AUTHORIZATION mechanism that is useful when AUTHENTICATION mechanism such as kerberos delegation is not configured. I would recommend the combination of Windows Impersonation and Exchange delegation if someone would like to visit other users mailbox.

     Put it in another way, Exchange Impersonation is just workaround instead of a solution as i understand.



    yes you are correct. My requirement was this, when a SharePoint user logs in to their portal (a SharePoint Site), they can be able to see their inbox. As you said in their client environment they have not enabled even the Kerberos authentication. In my case my boundry was to use the Exchange Web Service. So the problem was with me when I use service.Defaultcredentials=true; the Exchange Web Service was giving me access denied or unauthorized error message. As well as when i debugged the code the credentials which is getting passed to the Web Service was always empty.

    The solution was to create a super user service account in Exchange server who is having impersonation rights on top of the other users, in other words a super user who can access other users mail boxes.

    setting up the connection string using the super account which can impersonate the others:

    // Setup connection string ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2013); service.Credentials = new NetworkCredential("superadmin", "password", "domain");

    Impersonating the with the user email address:

    // Impersonation
    service.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "useremail1@domain.com");

    After the impersonatoin i m accessing the inbox for the unread emails as below:

    SearchFilter searchFilter = new SearchFilter.SearchFilterCollection(LogicalOperator.And, new SearchFilter.IsEqualTo(EmailMessageSchema.IsRead, false));
    
    var inbox = new FolderId(WellKnownFolderName.Inbox);
    var iv = new ItemView(9999);
    
    FindItemsResults<Item> findResults = service.FindItems(inbox, searchFilter, iv);
    
    if (findResults.Items.Count > 0)
    {
    foreach (Item item in findResults.Items)
    {
    mailboxDetails a = new mailboxDetails();
    a.Subject = item.Subject;
    }
    }

    thanks,

    Ammar








    • Edited by AmmarBIZ Sunday, July 14, 2013 11:12 AM d..:)
    Sunday, July 14, 2013 10:11 AM