The question came up recently whether one user account can be used to impersonate all mailboxes in an environment consisting of Exchange 2007 and 2010 servers. As most people realise, there have been huge changes to the permissions structure between the two versions (2010 introducing RBAC), so can we grant the relevant permissions to one service account? While I was sure it was possible, I could see that there may well be some pitfalls that would be worth exploring/explaining, so I set up a mixed mode environment to test.
First of all, you need to grant the permissions to the user account. The process is slightly different for each Exchange version, and each process must be followed on the relevant server. You will end up with a user account that has permission to impersonate any account on any Exchange server.
Setting up impersonation:
Exchange 2007: http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.80).aspx
Exchange 2010: http://msdn.microsoft.com/en-us/library/bb204095(v=EXCHG.140).aspx
Once I’d done this, I wanted to test that it worked (of course!). To do this, I created one user account on the Exchange 2010 MBX, and one on the Exchange 2007 MBX. My test is to be able to send email from each account to the other using my impersonation account. I used the administrator account as my test impersonation account – this was hosted on the Exchange 2007 server (this is an important point, as it turns out!).
So, my first test was to send an email from firstname.lastname@example.org to email@example.com. I fired up my EWS test suite and set impersonation as usual, and sent the test email. This worked straight away, and checking in OWA the message had been delivered as expected.
On to the second test, sending a message from firstname.lastname@example.org to email@example.com. Same procedure as before, just different impersonation. Unfortunately, this failed with the error “The Client Access Server version does not match the accessed resource’s Mailbox Server version.”. The suggested solution is to use Autodiscover – unfortunately, I already am.
The important thing to realise at this point is that the impersonating account is hosted on Exchange 2007. So when Autodiscover is used, the server designated as the CAS will be the Exchange 2007 server. When accessing the Exchange 2010 account, this is why the problem occurs. The solution? Based on the issue, the solution that makes most sense is to do the autodiscover on the impersonated mailbox, not the impersonating one. I modified my test application accordingly, and this did indeed resolve the issue.
So, it is certainly possible to use one service account to impersonate all users in a mixed Exchange environment. Points to note based on my tests are:
- You need to grant the service account impersonation rights on both Exchange 2007 and Exchange 2010. Each version needs different rights, so following both processes (as linked above) will ensure that the impersonating account won’t have a problem accessing any of the servers.
- When connecting to EWS, use autodiscover (this is always the recommended approach) on the impersonated mailbox (in a none-mixed environment, this shouldn’t be necessary).
- When connecting to EWS, ensure the requested server version is Exchange_2007SP1. This will work with both Exchange 2007 and 2010. If you leave this as the default, or specify Exchange 2010, then you will receive errors when connecting to mailboxes hosted on Exchange 2007.
Depending upon your application, you may want to cache the autodiscover results. For example, if you write a program that does connect to many users’ mailboxes, then performing an autodiscover on each mailbox should only be done once, and the result cached.