FYI: Exchange Management Shell Blocks Calls Made With Impersonated Credentials

  • Article

We are working to get official public documentation on this subject, I will update this post once we get a KB published...

Symptoms
When you try to execute Exchange Powershell cmdlets from an application which is impersonating a user. You get the following error:

"Access to the address list service on all Exchange 2007 servers has been denied"

Cause
Exchange Management Shell currently (Exchagen 2007 RTM) actively blocks calls made with impersonated credentails.

This is typically seen in an ASP.NET application which impersonates the client's user credentials and attempts call an Exchange Powershell cmdlet such as New-Mailbox.

Resolution
You will need to execute Exchange cmdlets inside another process running with evelated permissions. You can use COM+ or .NET Remoting to accomplish this.

Understanding Enterprise Services (COM+) in .NET
https://msdn2.microsoft.com/en-us/library/ms973847.aspx

.NET Framework Remoting Overview
https://msdn2.microsoft.com/en-us/library/kwdt6w2k.aspx

More Information
This is very similar to limitations with CDOEXM and impersonation in Exchange 2000 and 2003. As seen in the following KB article:

Recommendations for using Exchange system management features through a Web interface that uses CDO for Exchange Management
https://support.microsoft.com/kb/900230

This works now, Dan has the update