1

Competella Unified Communication Suite

Competella Calendar Sync user in Exchange.

This paper describes how to configure a User in Exchange used by Competella Communication Suite

System.

Revision. Date.

1.0 2010-10-22

2

Table of Contents Prerequisites ........................................................................................................................................... 3

What is Exchange Web Service? .............................................................................................................. 3

May I see your ID? ................................................................................................................................... 4

How access a non primary mailbox? .................................................................................................... 4

How to Create a Impersonate account in Exchange 2007 ...................................................................... 5

Step by step: ........................................................................................................................................ 5

1 Create a Mailbox user in Exchange Management Console. ......................................................... 5

2 Open Exchange Management Shell. ............................................................................................. 7

Impersonation in Exchange 2010 ............................................................................................................ 9

Try to use this account in OWA ............................................................................................................. 10

3

Prerequisites Exchange Server 2007 or 2010 with EWS enabled.

EWS - Exchange Web Services.

An account with Exchange Impersonation.

Here for Exchange 2007

http://msdn.microsoft.com/en-us/library/bb204095(EXCHG.80).aspx

Here for Exchange 2010.

http://msdn.microsoft.com/en-us/library/bb204095.aspx

Configuration see step by step description above in this document.

Lets first start to explain what Exchange Web Services is and what an account with Exchange

Impersonation is

What is Exchange Web Service? Exchange Web Services (EWS)is an application programming interface that third party developers can

use to communicate with Exchange. This interface is exposed as a soap based web interface.

(SOAP simple object access protocol)

This means that a user must send their request as SOAP + XML message in an HTTPS (secure) post to

server.

Services are exposed on an Exchange Client Access Server (CAS) through ASP.NET Web Services.

EWS provides a way for consumers to interact with Exchange mailboxes in a MS Office Outlook Web

Access (OWA) compatible manner.

Under the covers OWA and EWS use same business logic layer for accessing, creating, modifying and

deleting mailbox data.

4

May I see your ID?

Every Web Service request that comes across the wire to Exchange Client Access Server (CAS) box

must be authenticated by ASP.NET before it gets to server. This means by the time request arrives

EWS already know the identity of the caller (Anonymous access is not permitted in EWS).

Using this identity Exchange server can perform an Active Directory lookup to determine which

mailbox is associated with callers account. There is no need to add any mailbox-identity data within

the request if caller is trying to access his or her own mailbox.

How access a non primary mailbox?

From Chapter 19 in the book Inside Microsoft Exchange Server 2007 Web Service

Using Exchange Impersonation.

It is a quite unfortunate name. Why?

Because consumers quickly think that Exchange Web Services is impersonating an account by using

something like WindowsIdentity.Impersonate, which isnt the case.

However, the name is what it is, and you must live with it.

Exchange Impersonation is specified in an EWS request by an element named

ExchangeImpersonation in the soap header.

This element enables you to specify who the Act As account is going to be.

See above try to use this account.

5

How to Create a Impersonate account in Exchange 2007

Step by step:

Important!

This is only an example from our test/lab environment to show the account type.

Not a solution in all Exchange environments.

Please referrer to articles on the net and Exchange documentations.

Here in example user is Sync2007

1 Create a Mailbox user in Exchange Management Console.

6

Reminders!

1.1 Hide from Exchange Address list. (Exchange Management Console)

1.2 Active directory Users and Computers.

Set never expired.

7

2 Open Exchange Management Shell.

Run this script from

http://msdn.microsoft.com/en-us/library/bb204095(EXCHG.80).aspx

Dont forget to modify.(When copy script from web |pipe character could be wrong. )

Here in our system:

Check current server in console:

Get-ExchangeServer

Check Mailbox store

Get-MailboxDatabase

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-

ADPermission -Identity $_.distinguishedname -User (Get-User -Identity Sync2007 | select-

object).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User

Sync2007 -ExtendedRights ms-Exch-EPI-May-Impersonate}

Result:

8

Check result:

Get-MailboxPermission -Identity Sync2007 | Format-List

Solution 2

Here Ex2007

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity Ex2007 | select-

object).identity -AccessRights GenericAll -InheritanceType Descendents

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | select-

object).identity -ExtendedRight ms-Exch-EPI-Impersonation

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | select-

object).identity -ExtendedRight ms-Exch-EPI-May-Impersonate

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | select-

object).identity -ExtendedRights Send-As

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | select-

object).identity -ExtendedRights Receive-As

Here we dont run foreach object for all properties only Recieve and Send

9

Impersonation in Exchange 2010

Quick tip: Impersonation in Exchange 2010 has morphed from setting ACLs to Role Based Access Control (RBAC). It could not be easier to impersonate users in the entire domain:

new-ManagementRoleAssignment -Name: _SyncCalendar -Role:ApplicationImpersonation -User:'SyncUser@competella.com'

new-ManagementRoleAssignment -Name: _SyncCalendar -Role:ApplicationImpersonation -User:

'SyncUser@competella.com'

10

Try to use this account in OWA

Login as user Sync2007:

Try to change to user1000.

You are missing permission to do that!.

This user account could only look at it owns data.