Exchange,Impersonation and RBAC in a multi forest scenario

The other day I was asked by a team, which is responsible for an application, for help. They needed ApplicationImpersonation role for specific mailboxes. After we clarified the legal and dataprotection part, we headed towards to implement the technical part in a POC.

The goal was to assign the role ApplicationImpersonation to a specific group in a trusted forest (let’s call it, to mailboxes in the forest where Exchange was installed (let’s call it But only for mailboxes with a specific value in an attribute. This would be the CustomRecipientWriteScope.

First thought: Okay, this is not too hard.

First a Universal group was created in the forest

Impersonation_01Next step was to define a scope

New-ManagementScope -Name ResourceImp -RecipientRestrictionFilter {CustomAttribute1 -eq 'ResourceManaged'}


Create the rolegroup

New-RoleGroup -Name ResourceDelegation -LinkedForeignGroup ExchangeImpersonation -LinkedDomainController -LinkedCredential (Get-Credential resource\Administrator) -CustomRecipientWriteScope ResourceImp  -Roles ApplicationImpersonation



This command combined the group (ExchangeImpersonation), the previously created scope (ResourceImp) and the role (ApplicationImpersonation).

So we build The Triangle of Power and should be good to go. Therefore I’ve created a shared mailbox and populated CustomAttribute1 with the value ‘ResourceManaged’ in order to make the scope working for this mailbox for testing purpose.

New-Mailbox -Name "Shared 01" -Alias shared01 -SamAccountName shared01 -Shared
 Set-Mailbox shared01 -CustomAttribute1 'ResourceManaged'

Impersonation_05Configuration on Exchange side is done. I just created a test user in the forest and made him a member of the group ExchangeImpersonation. For testing I used EWSEditor.


authentication took place


but to my surprise I got the following error


First I thought there might be an issue as I have in my lab a mixed environment of Exchange 2010/2013. Therefore I used the direct URL to my Exchange 2010 server,  where the mailbox exists. But I had no luck. I got the same error.

In a next step I created a second mailbox, but this time on the Exchange 2013 server.

New-Mailbox -Name "Shared 02" -Alias shared02 -SamAccountName shared02 -Shared
 Set-Mailbox shared02 -CustomAttribute1 'ResourceManaged'


tried again and guess what….


cross-check that the scope is working. Therefore I removed the attribute on the 2nd mailbox and got the expected error



As the productive environment was pure Exchange 2010 and the application was in a trusted forest I opened a case @Microsoft. The outcome was that this behavior is “by-design”. It is related to the internal processing of the EWS component on the CAS. This was changed in Exchange 2013. This means in short:

In a pure Exchange 2010 environment you cannot assign the role ApplicationImpersonation to a user or group outside the forest Exchange is installed.

As we now reached the extended support phase of Exchange 2010 this might won’t be fixed. But you never know…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s