ews-java-api icon indicating copy to clipboard operation
ews-java-api copied to clipboard

Published 20 hours ago verified publisher icon OfficeDev

Unable to access Generic Mailbox from Service Account

Open jonaugust opened this issue 6 years ago • 9 comments

Hi,

We have a generic email box that is used for emailing in certain types of service requests. In order to limit the impact of staff changes and the risk of having your personal credentials exposed, we'd like to use a Service Account to access the inbox and process the messages and then take further action.

This code works with my Personal Account:

ExchangeService service = new ExchangeService();
ExchangeCredentials credentials = new WebCredentials(username, password);
service.setCredentials(credentials);
service.setUrl(new URI(Credentials.getEwsURL()));
Mailbox mailbox = new Mailbox(Credentials.getSmtpEmailAddress());
FolderId inboxFolderId = new FolderId(WellKnownFolderName.Inbox, mailbox);
ItemView view = new ItemView(10);
FindItemsResults<Item> findResults = service.findItems(folderId, view);

Basically, I'm logging into the EWS as myself and then saying, "oh, let's look at this generic mailbox I have access to" - no problem.

However, when I try to do the same with the service account, I get this error: When making a request as an account that does not have a mailbox, you must specify the mailbox primary SMTP address for any distinguished folder Ids.

I also tried this configuration:

ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP1);
ExchangeCredentials credentials = new WebCredentials(username, password);
service.setCredentials(credentials);
service.setUrl(new URI(Credentials.getEwsURL()));
service.autodiscoverUrl(Credentials.getSmtpEmailAddress());
service.setImpersonatedUserId(new ImpersonatedUserId(ConnectingIdType.PrincipalName, Credentials.getSmtpEmailAddress()));
 FindItemsResults<Item> findResults = service.findItems(WellKnownFolderName.Inbox, new ItemView(10));

but after a long delay, I get this error: The request failed. The impersonation principal name is invalid.

I've tried a number of other configurations, but none are working. I'm not sure if this is even possible as I've read that the Service ID would have to have its own mailbox.

Any clarification, working code, advice would be appreciated.

Thanks, Jon

jonaugust avatar Jul 31 '18 13:07 jonaugust

With a service account, you are not interested in the service account's mailbox (which it likely has none), but rather the target mailbox. The first error is saying that the FolderId element needs to be decorated with the smtp address of the target mailbox.

FolderId inboxFolderId = new FolderId(WellKnownFolderName.Inbox, mailboxForTarget);

For the second error, the ImpersonatedUserId should be marked as ConnectingIdType.SmtpAddress since you are using the Smtp and not the UPN (though they may be the same value). I assume in this case that you have set up the rights for the service account?

davster avatar Jul 31 '18 14:07 davster

Actually, your first suggestion is what I'm already doing. That's the one that gives the When making a request as an account that does not have a mailbox, you must specify the mailbox primary SMTP address for any distinguished folder Ids. error.

I tried your second suggestion earlier and posted the wrong thing, but I just retried it and I get The request failed. The SMTP address has no mailbox associated with it. - but it definitely does. I can open the SMTP address mailbox using Outlook.

Any other suggestions?

jonaugust avatar Jul 31 '18 17:07 jonaugust

Hi, I didn't read all the texts and it sounds a bit too simple...but did you tried: service.setImpersonatedUserId(new ImpersonatedUserId(ConnectingIdType.SmtpAddress, Credentials.getSmtpEmailAddress());

Jan

OS-JaR avatar Jul 31 '18 17:07 OS-JaR

Hi,

Yes, unfortunately that one gives back The request failed. The SMTP address has no mailbox associated with it.

Do you know if it's possible for a Service Account with no mailbox to access Generic Mailbox?

Thanks,
Jon

jonaugust avatar Jul 31 '18 18:07 jonaugust

Hi, I'm not sure about that. What exactly is a Generic Mailbox? Is the ServiceAccount in the 'Organization Management' or 'Discovery Management' Group and does at least one of those groups has the 'ApplicationImpersonation' role?

Jan

OS-JaR avatar Jul 31 '18 18:07 OS-JaR

Hello,

I'm facing the same issue, and i want to know if you found any solution ? and if yes if you can share it.

Thanks in advance,

Julien

JulienBougerie avatar Jan 09 '19 10:01 JulienBougerie

Hi,

Yes. The issue is that our Exchange Server (maybe all) is set such that a Service Account cannot open a Generic Mailbox unless it is “mail enabled” itself.

After some convincing, I got our security team to “mail enable” my Service Account. And now, it works beautifully.

Good luck!

Thanks, Jon

On Jan 9, 2019, at 5:59 AM, JulienBougerie [email protected] wrote:

Hello,

I'm facing the same issue, and i want to know if you found any solution ? and if yes if you can share it.

Thanks in advance,

Julien

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

jonaugust avatar Jan 09 '19 13:01 jonaugust

Thanks a lot Jon for your quick response Have a nice day Julien

JulienBougerie avatar Jan 09 '19 13:01 JulienBougerie

Is there a proper fix for this? I am having the same issue, however I use the Microsoft connectivity tester https://testconnectivity.microsoft.com/ it works (service account can access mailbox through ews without being mail enabled) so this leads me to believe it's something code or library related. Thanks.

bchris999 avatar Apr 17 '19 06:04 bchris999