Why won’t my Exchange Web Services impersonation code work?

I get this question a lot, so I thought I’d post a short post while I stare at progress bars…

 

In EWS, impersonation allows your code to perform operations using the permissions of the impersonated account.  For example, if a service were running under a service account that could impersonate me, the service could use EWS to send mail, schedule meetings, etc. using my permissions.  The results (emails, meetings, etc.) would be indistinguishable from mailbox items I created myself.

If the calling account doesn’t have the correct permissions to impersonate, your calls will fail.

In order to impersonate an account, the caller needs two permissions in AD:

1. Permission to Impersonate: The calling account needs to be established as an account that can perform impersonation.  This is granted via the AD permission ms-Exch-EPI-Impersonation.
2. Permission to Impersonate an Account: After being granted the permission to impersonate, the calling account needs the permission to impersonate an account (it’s also possible to grant permission or all accounts in a mailbox database) via the AD permission ms-Exch-EPI-May-Impersonate. 

Details on how to grant these permissions can be found here.  There are impersonation samples in the EWS SDK download that you can use to test if an account is properly configured.

Check out this webcast for more details on the infrastructure required when building applications that leverage OCS 2007 R2 and Exchange 2007 SP1.

 

Thanks,

Chris