Competella Unified Communication Suite

Competella Calendar Sync user in Exchange.

This paper describes how to configure a User in Exchange used by Competella Communication Suite
System.

Revision.
1.0

Date.
2010-10-22

Table of Contents
Prerequisites........................................................................................................................................... 3
What is Exchange Web Service?.............................................................................................................. 3
May I see your ID? ................................................................................................................................... 4
How access a non primary mailbox? .................................................................................................... 4
How to Create a Impersonate account in Exchange 2007 ...................................................................... 5
Step by step: ........................................................................................................................................ 5
1 Create a Mailbox user in Exchange Management Console. ......................................................... 5
2 Open Exchange Management Shell.............................................................................................. 7
Impersonation in Exchange 2010 ............................................................................................................ 9
Try to use this account in OWA ............................................................................................................. 10

Prerequisites
Exchange Server 2007 or 2010 with EWS enabled.
EWS - Exchange Web Services.
An account with Exchange Impersonation.
Here for Exchange 2007
http://msdn.microsoft.com/en-us/library/bb204095(EXCHG.80).aspx

Here for Exchange 2010.

http://msdn.microsoft.com/en-us/library/bb204095.aspx

Configuration see step by step description above in this document.

Lets first start to explain what Exchange Web Services is and what an account with Exchange
Impersonation is

What is Exchange Web Service?

Exchange Web Services (EWS)is an application programming interface that third party developers can
use to communicate with Exchange. This interface is exposed as a soap based web interface.
(SOAP simple object access protocol)
This means that a user must send their request as SOAP + XML message in an HTTPS (secure) post to
server.
Services are exposed on an Exchange Client Access Server (CAS) through ASP.NET Web Services.
EWS provides a way for consumers to interact with Exchange mailboxes in a MS Office Outlook Web
Access (OWA) compatible manner.
Under the covers OWA and EWS use same business logic layer for accessing, creating, modifying and
deleting mailbox data.

May I see your ID?

Every Web Service request that comes across the wire to Exchange Client Access Server (CAS) box
must be authenticated by ASP.NET before it gets to server. This means by the time request arrives
EWS already know the identity of the caller (Anonymous access is not permitted in EWS).
Using this identity Exchange server can perform an Active Directory lookup to determine which
mailbox is associated with callers account. There is no need to add any mailbox-identity data within
the request if caller is trying to access his or her own mailbox.

How access a non primary mailbox?

From Chapter 19 in the book Inside Microsoft Exchange Server 2007 Web Service
Using Exchange Impersonation.
It is a quite unfortunate name. Why?
Because consumers quickly think that Exchange Web Services is impersonating an account by using
something like WindowsIdentity.Impersonate, which isnt the case.
However, the name is what it is, and you must live with it.
Exchange Impersonation is specified in an EWS request by an element named
ExchangeImpersonation in the soap header.
This element enables you to specify who the Act As account is going to be.
See above try to use this account.

How to Create a Impersonate account in Exchange 2007

Step by step:
Important!

This is only an example from our test/lab environment to show the account type.
Not a solution in all Exchange environments.
Please referrer to articles on the net and Exchange documentations.
Here in example user is Sync2007
1 Create a Mailbox user in Exchange Management Console.

Reminders!

1.1 Hide from Exchange Address list. (Exchange Management Console)

1.2 Active directory Users and Computers.

Set never expired.

2 Open Exchange Management Shell.

Run this script from

http://msdn.microsoft.com/en-us/library/bb204095(EXCHG.80).aspx
Dont forget to modify.(When copy script from web |pipe character could be wrong. )
Here in our system:
Check current server in console:
Get-ExchangeServer
Check Mailbox store
Get-MailboxDatabase
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {AddADPermission -Identity $_.distinguishedname -User (Get-User -Identity Sync2007 | selectobject).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User

Sync2007 -ExtendedRights ms-Exch-EPI-May-Impersonate}

Result:

Check result:
Get-MailboxPermission -Identity Sync2007 | Format-List

Solution 2
Here Ex2007
Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity Ex2007 | selectobject).identity -AccessRights GenericAll -InheritanceType Descendents
Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | selectobject).identity -ExtendedRight ms-Exch-EPI-Impersonation
Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | selectobject).identity -ExtendedRight ms-Exch-EPI-May-Impersonate
Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | selectobject).identity -ExtendedRights Send-As
Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity Ex2007 | selectobject).identity -ExtendedRights Receive-As
Here we dont run foreach object for all properties only Recieve and Send

Impersonation in Exchange 2010

Quick tip: Impersonation in Exchange 2010 has morphed from setting ACLs to Role
Based Access Control (RBAC). It could not be easier to impersonate users in the
entire domain:
new-ManagementRoleAssignment -Name: _SyncCalendar
-Role:ApplicationImpersonation -User:'SyncUser@competella.com'

new-ManagementRoleAssignment -Name: _SyncCalendar -Role:ApplicationImpersonation -User:

'SyncUser@competella.com'

Try to use this account in OWA

Login as user Sync2007:

Try to change to user1000.

You are missing permission to do that!.

This user account could only look at it owns data.

10