Configuring Exchange Impersonation
BackGround: ASP.net app is running under NT AUTHORITY\NETWORK SERVICE and needs to send mail as a valid domain user account. Worked in Exchange 2003, but not with Exchange 2007....thus the need for Impersonation.I'm attemting to run the following cmdlet from the Exchage Management Shell on HUB\CAS server. Note: the -user I'm attemting to use in the command is "NT AUTHORITY\NETWORK SERVICE.Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity "" | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
HOWEVER, the following error is returned in red. It appears the cmdlet is searching for user NT AUTHORITY\NETWORK SERVICE in Active Directory but fails to find it. Is this not a valid account that can be used in this cmdlet?
ERROR:The operation could not be performed because object 'NT AUTHORITY\NETWORK SERVICE' could not be found on domain controller'MYDC.childdomain.rootdomain.local'.At line:1 char:145+ Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User <<<< -Identity "NT AUTHORITY\NETWORK SERVICE" | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}Add-ADPermission : Cannot bind argument to parameter 'User' because it is null.At line:1 char:135+ Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User <<<< (Get-User -Identity "NT AUTHORITY\NETWORK SERVICE" | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}Thanks for your assistance.
July 16th, 2009 9:11pm
I'm a bit out of my area here, but wanted to ask some questions. How does the ASP.NET service send the message? Via SMTP? Or via the drop folder? Does your Hub Transport server allow anonymous connections? Jim McBee - Blog - http://mostlyexchange.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2009 9:47pm
This is pretty much obivious that you get that error of Network Service account could not be found on a domain controller. Because the Network Service and Local System accounts are two local principles on a particular computer. So do on domain controllers. In stead of using Network Service account for authentication you can go with using a domain user account for authentication of the service you are using. Have you already tried that?What version of IIS is it by the ways?Milind Naphade | MCTS:M | http://www.msexchangegeek.com
July 17th, 2009 6:36am
As Jim has already asked you What is the method you are using to send emails? Using a drop directory on the server or the SMTP on HUB?Milind Naphade | MCTS:M | http://www.msexchangegeek.com
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2009 6:37am
Since we cant use Get-User to retrieve Network Service account, then please set the permission via Active Directory Sites and Services and Active Directory Users and Computers. We can refer David Sterlings posts in the links below
ms-Exch-EPI-Impersonation equals Exchange Web Services Impersonation" on the server's security descriptor
ms-Exch-EPI-May-Impersonate equals "Allow Impersonation to Personal Exchange Information" on the user mailboxs security descriptor
Resources:
WebService Impersonisation problem (Similar Case)
How to act (on behalf of || as) other users - Delegation and Impersonation (Exchange Web Services) (Similar Case)
July 17th, 2009 11:41am
You could create a new Application Pool in IIS using a specific user that you *can* give impersonation permissions to, then assign your Web application to run as that application pool instead of Network Service. Jim McBee - Blog - http://mostlyexchange.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2009 11:14pm
After further research, I found that The NetworkService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and acts as the computer on the network
--------Refer to <NetworkService Account>
It means that NetworkService is a local account on a machine, which shouldnt be placed on to the ACE of an object in a domain. So, please take Jims suggestion to use a specific user for this task
July 20th, 2009 5:05am
How's the case now? Any update?
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2009 9:27am
Still workingon the problem. I'm going to send this thread over to our ASP developer for his comments. I will let you know what he decides. Thanks for all your input, sorry for the delay in getting back to you. We have to solve this problem in order to fully decommission our Exchange 2003 servers. And I'm also currentlyimplementing EX2010beta on our test network.
July 23rd, 2009 6:56pm
Cool! Waiting for update
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2009 3:57am