Click here to Skip to main content
15,886,766 members
Search within:


Getting error: “the account does not have permission to impersonate the requested user” even though I have impersonation access
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
.NET
EWS
impersonation
, + 
I have Windows Service which listen On-Premise Exchange Mail boxes using EWS with Impersonation Access.

I have one Admin User (Service Account) which has Impersonation Access and I have configured the same user for my Windows Service Logon.

I am using NTLM Authentication in C#.Net to login and Impersonate the mail box. When I start my windows service and try to impersonate the mail box I am getting following error even though I have Impersonation Access to my service account.

"Error While initial sync for mailbox SCHEDTEST91@SCHED2010.COM. Exception: Microsoft.Exchange.WebServices.Data.ServiceResponseException: The account does not have permission to impersonate the requested user.
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ProcessWebException(WebException webException)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
   at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
   at SXA.ES.EWSNotificationListenerService.NotificationListener.NotificationSynchronizerBase.GetCurrentSyncState(String smtpAddress, String autodiscoverUrl)"


Surprise part is, this issue is happening with specific Virtual Machines, where my Windows Service is hosted.

I have total 4 Virtual Machines and out of 4 VMs, Windows Service is working fine and able to Impersonate the mail box on 2 VMs, but with same configuration and same setup other 2 are having above mentioned error.

I tried searching over the google a lot for this issue and could not find any post.

I am seeking help here to address this issue. Please let me know if anyone come across the same issue while working with EWS Service with C#.Net, and have solution for this.

Note: If I use Basic Authentication here then it is working fine on these 2 VMs as well, this issue is happening with NTLM Windows Authentication only.


What I have tried:

1. Tried restarting VMs,
2. Tried to debug the code by providing Basic Authentication instead of NTLM and with Basic Authentication it work fine, Looks like problem with only NTLM with specific VM.
3. Tried Removing Windows Service from tray and re-installing.
Posted
Updated 5-Oct-18 9:50am
Add a Solution
Comments
littleGreenDude 11-Sep-18 15:46pm    
Do you know if the account requires any other privs? Like log in as a service?
Arpan_Patel 12-Sep-18 9:48am    
No there is no other privileges required for account other than Impersonation Access which i already provided.
As i mentioned this is working fine on other VM with same configuration.

2 solutions

Wild guess here. Is there a service that has not been started/installed on the failing vm?
 
Share this answer
 
Posted
Comments
Arpan_Patel 14-Sep-18 10:05am    
i have compared both the VMs services and running services list are same on both the VMs, so i think this is also not the case here. One thing i observed in EWS logs is when request send to Exchange Server from not working VM, it send Alias Name even though i am setting SMTP address, and in Request from working VM it is sending smtp address, i suspect that since it is sending Alias name of Email address, this issue is happening, i am trying to figure out why this difference is but till now did not get anything.
I have further investigated and found the root cause of this issue, see the details below and how to fix the same.

1. Actually I have installed Outlook and configured email account (user email account who does not have Impersonation Access) on the VM where i was facing issue, Upon restart of Outlook right after email account configuration, it prompt dialog for credentials, there I have entered user name and Password and along with that I have Checked "Remember my credentials" Check Box as well and Click Ok.

2. Now if you go to Control Panel\User Accounts\Credential Manager, You will see two entries in Windows Credentials section, one for Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) with user name same as the one you have configured in your Outlook and another separate entry for the same user name as Windows Identity.

3. When I removed Exchange Server network Address (ABCEXCHANGESERVER.DOMAIN.COM) entry from Control Panel\User Accounts\Credential Manager, this issue got resolved.

4. As per my understanding ABCEXCHANGESERVER.DOMAIN.COM is exchange server domain/network address in our case and is used by EWS and Outlook both when accessing mail boxes. So when we are configuring mail box in Outlook and on credentials dialog if we check "Remember my credentials" Check Box, it cached credentials for Exchange call to ABCEXCHANGESERVER.DOMAIN.COM as well as for mail box profile in Credential Manager. Now when our service try to call ABCEXCHANGESERVER.DOMAIN.COM using NTLM it first check Credentials Cache for ABCEXCHANGESERVER.DOMAIN.COM network/domain address and if any entry found there, it always use cached credentials instead of our service logon credentials.

5. If anyone facing the same issue, just clearing the Exchange Server network address entry from Control Panel\User Accounts\Credential Manager, and this issue will get resolved.
My suggestion is, avoid configuring Outlook on VM. How this will help.
 
Share this answer
 
Posted
Updated 5-Oct-18 9:52am
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 5 Oct 2018
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900