KB: Exchange Web Services Does Not Honor Inherited Permissions from Server Level Objects
The following KB article was just published based on a case I worked and bug that I filed against Exchange Web Services in Exchange 2007, have a look...
940846 Error message when an account tries to open a mailbox by using Outlook Web Access or Exchange Web Services in Exchange Server 2007: "You do not have permissions to open this mailbox"
https://support.microsoft.com/default.aspx?scid=kb;EN-US;940846
Previously with other Exchange APIs and in earlier versions of Exchange Server if you set Receive-As rights at the server, storage group, organizational level, etc. for a service account then you could access any mailbox under those objects with your service account. This is *not* the case with Exchange Web Services or Outlook Web Access in Exchange Server 2007. In Exchange Server 2007, the underlying components shared by EWS and OWA do not aggregate the security descriptors of all the parent level objects of a mailbox to determine access - they only look at the mailbox security descriptor. To workaround this, as the KB article states, you have two options...
- Use the Add-MailboxPermission cmdlet to add permissions directly to the mailbox you would like to access
- For EWS, use Impersonation to access the mailbox
This is issue only affects the shared underlying components of OWA and EWS in Exchange 2007. It does not affect other Exchange 2007 APIs such as WebDAV, MAPI, and CDO.
...The customer I was working with was using their experience from Exchange 2000/2003 to test their service account configuration for their WebDAV application in Exchange 2007 using OWA. They had created their service account, applied permissions to a storage group using Add-ADPermission and were using OWA to verify that it was permissioned appropriately to allow access to all mailboxes in a storage group. They got hung up on the fact that OWA wouldn't allow access and never tested their WebDAV application. When they finally did a WebDAV test the service account accessed all mailboxes fine - even though they still could access the mailboxes with the service account using OWA. This is because while OWA and WebDAV were closing tied in Exchange 2000/2003, in Exchange 2007 they are not - Exchange Web Services and Outlook Web Access are more closely related now...
Comments
Anonymous
October 02, 2008
I've put together a list of articles which cover common questions on Exchange Web Services (EWS). TheseAnonymous
June 16, 2009
The Exchange API team has a new post to explaining the differences between using Exchange Impersonation