Using Exchange Impersonation
Exchange Impersonation enables a caller to impersonate a given account so that the operations can be performed with the rights of the impersonated account, instead of the rights that are associated with the caller's account.
The ExchangeImpersonation SOAP header element provides the following three methods that you can use to identify the account to impersonate:
The user principal name (UPN) method
The Security Identifier (SID) method
The primary Simple Mail Transfer Protocol (SMTP) address method
The PrincipalName element contains the fully qualified domain name (FQDN) for the location of the user account. This is not necessarily the user's mailbox domain. This element occurs as a child of the ConnectingSID element. Note that the UserPrincipalName attribute must be correctly stamped on the user account in the Active Directory directory service for the user lookup to succeed.
The SID element contains the security identifier of the account to be impersonated. This is the security descriptor definition language (SDDL) form of the SID.
The following example shows a request to impersonate another user and query the contents of the user's Inbox.
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <soap:Header> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrincipalName>User2@example.com</t:PrincipalName> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <FindItem xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" Traversal="Shallow"> <ItemShape> <t:BaseShape>IdOnly</t:BaseShape> </ItemShape> <ParentFolderIds> <t:DistinguishedFolderId Id="inbox"/> </ParentFolderIds> </FindItem> </soap:Body> </soap:Envelope>
With Exchange Impersonation, one account is acting as another account. When an account is impersonated, the system logs the access as if the account that is specified in the header were acting on the system. The calling account must have the appropriate permissions to perform impersonation. For more information, see Configuring Exchange Impersonation.