Search code examples
c#.netwindows-servicesexchangewebservicesntlm-authentication

Getting error: "The account does not have permission to impersonate the requested user" even though i have impersonation access

I have Windows Service which listen On-Premise Exchange Mail boxes using EWS with Impersonation Access.

I have one Admin User (Service Account) which has Impersonation Access and I have configured the same user for my Windows Service Logon.

I am using NTLM Authentication in C#.Net to login and Impersonate the mail box. When I start my windows service and try to impersonate the mail box I am getting following error even though I have Impersonation Access to my service account.

“Error While initial sync for mailbox [email protected]. Exception: Microsoft.Exchange.WebServices.Data.ServiceResponseException: The account does not have permission to impersonate the requested user.
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ProcessWebException(WebException webException)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
   at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
   at SXA.ES.EWSNotificationListenerService.NotificationListener.NotificationSynchronizerBase.GetCurrentSyncState(String smtpAddress, String autodiscoverUrl)”

Surprise part is, this issue is happening with specific Virtual Machines, where my Windows Service is hosted.

I have total 4 Virtual Machines and out of 4 VMs, Windows Service is working fine and able to Impersonate the mail box on 2 VMs, but with same configuration and same setup other 2 are having above mentioned error.

Here is my code which create OnPremise Exchange Service:

public ExchangeService CreateOnPremiseExchangeService(ExchangeServiceProperties properties)
        {
            var exchangeService = CreateExchangeService(properties);

            exchangeService.UseDefaultCredentials = true;

            return exchangeService;
        }

private static ExchangeService CreateExchangeService(ExchangeServiceProperties properties)
        {
            var exchangeService = new ExchangeService(properties.ExchangeVersion)
            {
                Url = properties.ExchangeUri,
                ReturnClientRequestId = true,
                SendClientLatencies = true,
                UserAgent = properties.UserAgent
            };

            if (properties.TraceListener != null)
            {
                exchangeService.TraceListener = properties.TraceListener;
                exchangeService.TraceFlags = TraceFlags.All;
                exchangeService.TraceEnabled = true;
            }

            if (!string.IsNullOrWhiteSpace(properties.TargetMailbox))
            {
                exchangeService.ImpersonatedUserId = new ImpersonatedUserId(
                    ConnectingIdType.SmtpAddress,
                    properties.TargetMailbox);
            }

            return exchangeService;
        }

I tried searching over the google a lot for this issue and could not find any post.

I am seeking help here to address this issue. Please let me know if anyone come across the same issue while working with EWS Service with C#.Net, and have solution for this.

Note: If I use Basic Authentication here then it is working fine on these 2 VMs as well, this issue is happening with NTLM Windows Authentication only.

Solution

  • I have further investigated and found the root cause of this issue, see the details below and how to fix the same.

    1. Actually I have installed Outlook and configured email account (user email account who does not have Impersonation Access) on the VM where i was facing issue, Upon restart of Outlook right after email account configuration, it prompt dialog for credentials, there I have entered user name and Password and along with that I have Checked “Remember my credentials” Check Box as well and Click Ok.
    2. Now if you go to Control Panel\User Accounts\Credential Manager, You will see two entries in Windows Credentials section, one for Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) with user name same as the one you have configured in your Outlook and another separate entry for the same user name as Windows Identity.
    3. When I removed Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) entry from Control Panel\User Accounts\Credential Manager, this issue got resolved.
    4. As per my understanding ABCEXCHANGESERVER.DOMAIN.COM is exchange server domain/network address in our case and is used by EWS and Outlook both when accessing mail boxes. So when we are configuring mail box in Outlook and on credentials dialog if we check “Remember my credentials” Check Box, it cached credentials for Exchange call to ABCEXCHANGESERVER.DOMAIN.COM as well as for mail box profile in Credential Manager. Now when our service try to call ABCEXCHANGESERVER.DOMAIN.COM using NTLM it first check Credentials Cache for ABCEXCHANGESERVER.DOMAIN.COM network/domain address and if any entry found there, it always use cached credentials instead of our service logon credentials.
    5. If anyone facing the same issue, just clearing the Exchange Server network address entry from Control Panel\User Accounts\Credential Manager, and this issue will get resolved.

    My suggestion is, avoid configuring Outlook on VM. How this will help.