EWS from a Web Application using Windows Authentication and Impersonation


To augment an earlier blog post that describes how to use EWS in a SharePoint webpart without needing ApplicationImpersonation, here I will go through the steps needed to do this from a standard web application.  The scenario is that a web application (hosted on a standalone application server) needs to access a user’s mailbox using EWS.  The web application is set to use impersonation and Windows authentication, so that the user will not be prompted for credentials.  I have written a sample application to demonstrate this, which simply performs autodiscover on a mailbox (and can be found attached to the blog).

  1. Create a new web application (for the purposes of this guide, I will refer to this as EWSTest, which is what I named my web application).  The web application will run in its own application pool, also called EWSTest.
  2. Select EWSTest under Sites in IIS Manager, choose Authentication and open feature.  Ensure that ASP.Net Impersonation and Windows Authentication are Enabled.  All other options should be disabled.
  3. Select EWSTest under Application Pools in IIS Manager.  Select Basic Settings…, then change the Managed pipeline mode to Classic.  I also changed the .NET Framework version to 4 (this depends upon your application).
  4. In the web.config file of the web application, set windows authentication and impersonation (under system.web): <authentication mode=”Windows” /><identity impersonate=”true” />
  5. Create an SPN for each CAS in your Exchange environment for http on port 443.  For each CAS, you should set one SPN for the full DNS name, and one for the NetBIOS name (i.e. just machine name).  In my test environment, I have two CAS, one for Exchange 2007 and one for Exchange 2010.  The commands I needed to run were:
    setspn -s http/ex2k10cas1.hybrid.local:443 ex2k10cas1
    setspn -s http/ex2k7cas1.hybrid.local:443 ex2k7cas1
    setspn -s http/ex2k10cas1:443 ex2k10cas1
    setspn -s http/ex2k7cas1:443 ex2k7cas1
  6. From Active Directory Users and Computers, open the properties of the computer object for the application server.  On the Delegation tab, select Trust this computer for delegation to any service (Kerberos only).  If you need tighter security, you can limit delegation to specific services instead (as defined in step 5).

Once the above process is complete, delegation should work between the application server and EWS (depending upon the size of the AD environment, there may be some replication delay).  I needed to log-off and then log-on again on my test client for the process to start working correctly.

The test application attached allows you to test autodiscover, both using impersonation or specified credentials.  It should work in both cases (so long as the authenticating account has permission to the account being autodiscovered).

 

EWSTest.zip

Comments (0)