Exchange,Impersonation and RBAC in a multi forest scenario

The other day I was asked by a team, which is responsible for an application, for help. They needed ApplicationImpersonation role for specific mailboxes. After we clarified the legal and dataprotection part, we headed towards to implement the technical part in a POC.

The goal was to assign the role ApplicationImpersonation to a specific group in a trusted forest (let’s call it resource.com), to mailboxes in the forest where Exchange was installed (let’s call it adatum.com). But only for mailboxes with a specific value in an attribute. This would be the CustomRecipientWriteScope.

First thought: Okay, this is not too hard.

First a Universal group was created in the forest resource.com

Impersonation_01Next step was to define a scope

New-ManagementScope -Name ResourceImp -RecipientRestrictionFilter {CustomAttribute1 -eq 'ResourceManaged'}

Impersonation_02

Create the rolegroup

New-RoleGroup -Name ResourceDelegation -LinkedForeignGroup ExchangeImpersonation -LinkedDomainController ResourceDC01.resource.com -LinkedCredential (Get-Credential resource\Administrator) -CustomRecipientWriteScope ResourceImp  -Roles ApplicationImpersonation

Impersonation_03

Impersonation_04

This command combined the group (ExchangeImpersonation), the previously created scope (ResourceImp) and the role (ApplicationImpersonation).

So we build The Triangle of Power and should be good to go. Therefore I’ve created a shared mailbox and populated CustomAttribute1 with the value ‘ResourceManaged’ in order to make the scope working for this mailbox for testing purpose.

New-Mailbox -Name "Shared 01" -Alias shared01 -SamAccountName shared01 -Shared
 Set-Mailbox shared01 -CustomAttribute1 'ResourceManaged'

Impersonation_05Configuration on Exchange side is done. I just created a test user in the forest  resource.com and made him a member of the group ExchangeImpersonation. For testing I used EWSEditor.

Impersonation_06

authentication took place

Impersonation_07

but to my surprise I got the following error

Impersonation_08

First I thought there might be an issue as I have in my lab a mixed environment of Exchange 2010/2013. Therefore I used the direct URL to my Exchange 2010 server,  where the mailbox exists. But I had no luck. I got the same error.

In a next step I created a second mailbox, but this time on the Exchange 2013 server.

New-Mailbox -Name "Shared 02" -Alias shared02 -SamAccountName shared02 -Shared
 Set-Mailbox shared02 -CustomAttribute1 'ResourceManaged'

Impersonation_09

tried again and guess what….

Impersonation_10

cross-check that the scope is working. Therefore I removed the attribute on the 2nd mailbox and got the expected error

Impersonation_11

Conclusion

As the productive environment was pure Exchange 2010 and the application was in a trusted forest I opened a case @Microsoft. The outcome was that this behavior is “by-design”. It is related to the internal processing of the EWS component on the CAS. This was changed in Exchange 2013. This means in short:

In a pure Exchange 2010 environment you cannot assign the role ApplicationImpersonation to a user or group outside the forest Exchange is installed.

As we now reached the extended support phase of Exchange 2010 this might won’t be fixed. But you never know…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s