Using Exchange Impersonation in Exchange 2010
Last modified: March 16, 2009
Applies to: Exchange Server 2007 | Exchange Server 2010
Exchange Impersonation enables a caller to impersonate a given account so that the operations can be performed with the rights of the impersonated account, instead of the rights that are associated with the caller's account.
The ExchangeImpersonation SOAP header element provides the following three methods that you can use to identify the account to impersonate:
The user principal name (UPN) method
The Security Identifier (SID) method
The primary Simple Mail Transfer Protocol (SMTP) address method
To use the UPN to identify the account to impersonate
The PrincipalName element contains the fully qualified domain name (FQDN) for the location of the user account. This is not necessarily the user's mailbox domain. This element occurs as a child of the ConnectingSID element. Note that the UserPrincipalName attribute must be correctly stamped on the user account in the Active Directory directory service for the user lookup to succeed.
To use the user SID to identify the account to impersonate
The SID element contains the security identifier of the account to be impersonated. This is the security descriptor definition language (SDDL) form of the SID.
To use the primary SMTP address to identify the account to impersonate
The PrimarySmtpAddress element contains the primary SMTP address that is used to create the connecting SID.
The following example shows a request to impersonate another user and query the contents of the user's Inbox.
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <soap:Header> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrincipalName>User2@example.com</t:PrincipalName> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <FindItem xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" Traversal="Shallow"> <ItemShape> <t:BaseShape>IdOnly</t:BaseShape> </ItemShape> <ParentFolderIds> <t:DistinguishedFolderId Id="inbox"/> </ParentFolderIds> </FindItem> </soap:Body> </soap:Envelope>
With Exchange Impersonation, one account is acting as another account. When an account is impersonated, the system logs the access as if the account that is specified in the header were acting on the system. The calling account must have the appropriate permissions to perform impersonation. For more information, see Configuring Exchange Impersonation in Exchange 2010.