Using Exchange 2016 on premises, I'm trying to logon to another users mailbox from my admin account using the RDOSession.LogonExchangeMailbox method. The admin account has impersonation access to all other mailboxes so should have rights to do this. After running the logon method the RDOSession object shows ExchangeConnectionMode as olCachedConnectedFull, but the RDOSession.CurrentUser.name shows as UNKNOWN. If I try to access the inbox using GetDefaultFolder I get a MAPI_E_LOGON_FAILED message. Can you suggest what I might be doing wrong, or haven't done to allow this ?
LogonExchangeMailbox always uses the identity of the current user to connect to the mailbox in the RPC mode (no longer supported by Exchange 2016). To open another mailbox, you can call RDOSession.GetSharedMailBox / GetSharedMailBoxEx.
You can also use LogonHostedExchangeMailbox - it takes explicit credentials instead of connecting as the current local user.
Related
I am running into an issue with Microsoft Flow to create appointments on another calendar that my account as Send As permission to. I am able to create appointments in the UI for this second account. However in Flow, it is asking for a CalendarID. The drop down only shows calendars directly related to the account in the connection. When I manually enter the CalendarID to the second account, I receive this error: "The specified object was not found in the store."
Any help / tutorials will be greatly appreciated.
"The specified object was not found in the store."
This is an EWS permissions error so whatever you doing isn't going to work with SendAS rights. You will need to assign full access permission to the Mailbox (or at least rights to the calendar folder via Add-MailboxFolderPermission) for this to work with EWS. SendAs permission by definition only gives a user rights to SendAS another user not access folders in their Mailbox. You can test all this with the EWSEditor https://ewseditor.codeplex.com/ which is going to be making the same calls. If it works in the EWSEditor with the same creds as flow but not in your other code then you know the rights are good but whatever you doing in Flow is the issue.
I am using the google-api-php-client client to connect to Google Drive using a Service Account. Most of the time it works, but every so often (say if I sit here an refresh the page over and over it's every 5th to 10th time), I receive a Google_Service_Exception with the message unauthorized_client: Client is unauthorized to retrieve access tokens using this method. The error only occurs if the $this->drive_service->files->listFiles() code is present. It does not occur if I use the Service Account directly rather than using setSubject() to impersonate another user.
$this->client = new Google_Client();
$this->client->useApplicationDefaultCredentials();
$this->client->addScope("https://www.googleapis.com/auth/drive");
$this->client->setSubject('xxxx');
$this->drive_service = new Google_Service_Drive($this->client);
$files = $this->drive_service->files->listFiles();
Any thoughts?
Update Feb 21, 2017: The error is no longer intermittent, it happens every time, so I can no longer connect at all to a regular account through a service account.
Update March 10, 2017: It seems as though this is a user misunderstanding. The service account must be given "domain-wide authority" in order to impersonate users of that domain - something I have not done. I had simply authorized a client to access the users account as described here.
I don't know why your error happens periodically but my understanding is that to impersonate an user, you must grant the service account access.
I've seen this error intermittently when the account that's being impersonated is newly created. By the looks of it, adding a 10 second delay before trying to create the service eliminates the problem.
I have a service account that I want to be able to access another users calendar through the ews api in such a way that it can create appointments, update appointments they have created and delete appointments they have created but NOT be able to read all items on the users calendar.
This appears to be possible in office 365 (see screenshot) but is it possible with Exchange 2010? If so how?
Sure the image you have posted is just the Folder permissions from Outlook these permission are the same from Exchange 2007 to Office365. The two ways you can set permission pro-grammatically like you have shown is first use one of the Mailbox Access API's like Mapi or EWS and set the Folder permission eg https://msdn.microsoft.com/en-us/library/office/dn641962(v=exchg.150).aspx
Or you can use the Exchange Management Shell and Add-MailboxFolderPermissions https://blogs.technet.microsoft.com/ilvancri/2009/11/24/exchange-2010-and-then-there-is-the-long-awaited-cmdlet-add-mailboxfolderpermission/ this can be a better approach as it just requires delegated admin rights via an RBAC role where setting the folder permission via EWS because it uses a User API would require the account setting those permissions to be the Mailbox owner, have been delegate Full Access rights on the Mailbox (eg add-mailboxpermission) or use Impersonation.
I'm writing an application that needs to create Calendar events on a user's Outlook Calendar. However, I will not have access to their passwords, and they will most likely not be involved in the workflow to enter them at any point.
Is it possible to create these events with the user being authenticated? If not, are there alternatives?
This is for an on-premise Exchange Server, not Exchange Online.
You can use app impersonation, as long as the admin can add a service account and grant app impersonation. See https://msdn.microsoft.com/en-us/library/office/dd633680(v=exchg.80).aspx for more details.
If the user can use his Windows Login to login to the Exchange Server, you can simply use that - if your application runs on the users machine under his account. EWS-managed-API does that out-of-the-box.
If not, you could create an additional user on the Exchange Server, who creates the appointments on his own account and invites everyone per email.
We are trying to integrate Microsoft Exchange (sync appointments) into our web site (SPA)(Software as a Service), for this we are looking at EWS managed API as the preferred route, we have the end users email, but we do not want to store there exchange passwords (as they are generally same as users domain password), in such a scenario which is the best approach to take. Please Help.
The preferred way would be to define a new Exchange id for your integration program and allow it impersonation rights for each user whose mailbox you want to examine. The managed API will allow you to specify an impersonation id on each call. You authenticate with your program's userid and password, but have the rights within the Exchange store of the user you are impersonating. Thus you only have to manage a single password for your program and need not know users' passwords. Setting up the impersonation rights requires some fancy PowerShell commands from the Exchange Admin, but you only do it once.