A somewhat tougher nut to crack, apparently the impersonation feature suddenly stopped working for some users. A UC software was no longer able to retrieve the contacts from the user's mailbox. Unfortunately, the software returned an error message like this: "Does not work"
There were also no entries in the event logs on the Exchange server and even the IIS logs do not provide much information, they only say:
2013-07-08 08:42:45 192.168.200.1 POST /ews/exchange.asmx - 80 frankysweb.local\ucadmin 192.168.200.10 Cycos+EWS+HttpClient 500 0 0 15
Status code 500 is known to stand for "Internal Server Error", but this can be many things. Fortunately, the UC software provided the query that was executed against the EWS, so the error could be reproduced with SOAPe:
The error message then says:
"The account is not authorized to assume the identity of the requested user."
So it seems to be an authorization problem, but in RBAC the roles were assigned accordingly, exactly as described here:
http://msdn.microsoft.com/en-us/library/exchange/bb204095(v=exchg.140).aspx
After some searching, I noticed that the default scope is not applied to the "Users" OU, but the users were moved to precisely this OU for testing purposes. The simplest solution is of course to take the user accounts out of the "Users" OU again, or to create a new scope, like this:
New-ManagementScope -Name:ImpersonationScope -RecipientRestrictionFilter: {MemberOfGroup -eq "CN=Impersonated Users,CN=Users,DC=frankysweb,DC=local"}
As soon as the scope has been changed or the account has been moved out of the "Users" OU, the query in SOAPe also looks better:
The SOAPe tool can be downloaded here and has proven to be very helpful for tests with the EWS:
