Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6093
  • Last Modified:

IEMStest.exe No send as permission for ...

I am new to BES.  We have only used AES for our mobile devices but since our marketing department opted to go with Blackberries we are now in need for BES. Add to that fact that BES Express is  now free!  I did the two shell cmd that the BES Installation and configure guide asked for:

[PS] C:\>add-exchangeadministrator "besadmin" -role ViewOnlyAdmin

Identity                   Scope                     Role
--------                   -----                     ----
scope.local/Users/BESAdmin Organization wide         ViewOnlyAdmin


[PS] C:\>get-mailboxserver "exchsrv2k7" | add-adpermission -user "besadmin" -a
essrights ExtendedRight -extendedrights Receive-As, ms-Exch-Store-Admin

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
EXCHSRV2K7           SCOPE\BESAdmin       False False     Receive-As
EXCHSRV2K7           SCOPE\BESAdmin       False False     ms-Exch-Store-Admin

I specifically applied the Send As Permission to one user "tpeters" via the EMC "Manage Send As Function".  When i do the IEMStest.exe i receive the following:

D:\tools>iemstest.exe
BlackBerry Enterprise Server Utility - IEMSTest.exe (IExchangeManageStore), Vers
ion 1.0
Copyright (c) Research In Motion, Ltd. 1999. All rights reserved.
Opening Default Message Store Mailbox - BESAdmin

Tracy Peters: Opening message store using
        /o=SCOPe/ou=First Administrative Group/cn=Recipients/cn=tpeters
        /o=SCOPe/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configura
tion/cn=Servers/cn=EXCHSRV2K7/cn=Microsoft Private MDB
Tracy Peters: Mailbox opened successfully
Tracy Peters: Root Folder opened successfully
Tracy Peters: Folder created successfully
Tracy Peters: Test folder deleted successfully
Tracy Peters: MAPI test completed successfully
Tracy Peters: CDO Server Name: EXCHSRV2K7
Tracy Peters: CDO Mailbox DN: /o=SCOPe/ou=First Administrative Group/cn=Recipien
ts/cn=tpeters
Tracy Peters: CDO logon successful
Tracy Peters: Get default calendar folder successful
Tracy Peters: Get calendar folder name successful: 'Calendar'
Tracy Peters: CDO test completed successfully
Tracy Peters: No Send As permission for the {SCOPE\besadmin} account operator.
Tracy Peters: Initializing EWS Proxy... successful
Tracy Peters: Configuring User... successful
Tracy Peters: EWS calendar find request... failed

So you can see that the CDO and MAPI are good on the test BES server but it states that I do not have SEND AS for this user.  what am I missing???
0
scopeortho
Asked:
scopeortho
  • 19
  • 13
  • 2
1 Solution
 
bpinningCommented:
Hey,

In the users server profile add besadmin with send as permissions,

I will send the full instructions on how to do it when I find them
0
 
bpinningCommented:
Here it is,

In particular, Point 2, but check all the permissions as stated

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB02276#Task%202

Brett
0
 
sunnyc7Commented:
Hi blackberry created their own decision tree for the Send As issue.

here it is
http://na.blackberry.com/eng/support/software/sendas.jsp
--
Also
Check your bes services
start > run > services.msc

They should be logging in as
domain\besadmin

not local system account.

Please check that too.

thanks
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
scopeorthoAuthor Commented:
sunny, I do have the services set to run with the besadmin account.  bpinning that was a good article I did do another command that I did not do before:

[PS] C:\>add-adpermission -inheritedobjecttype User -inheritancetype Descendent
 -ExtendedRights Send-As -user "besadmin" -identity "OU=CA,OU=KMO,DC=scope,DC=l
cal"

this is the OU where i have that Tracy Peters account.  The user is in the First Storage Group, 1st mailbox database.  Here is the get commands for Send As permissions:

[PS] C:\>get-exchangeadministrator |fl

Identity : scope.local/Users/BESAdmin
Scope    : Organization wide
Role     : ViewOnlyAdmin

[PS] C:\>get-mailboxserver "exchsrv2k7" | get-adpermission -user besadmin |fl


User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {Self, WriteProperty, GenericRead}
ExtendedRights      :
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {ms-Exch-Store-Admin}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Receive-As}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Send-As}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All


[PS] C:\>get-mailboxdatabase "EXCHSRV2K7\First Storage Group\1st Mailbox Databas
e" | get-adpermission -user besadmin |fl


User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Send-As}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Receive-As}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {ms-Exch-Store-Admin}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {Self, WriteProperty, GenericRead}
ExtendedRights      :
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

AND WHEN I RUN THE IEMSTEST.EXE I get the same result.  Can you catch the problem???
0
 
sunnyc7Commented:
0
 
scopeorthoAuthor Commented:
Let me give that a try...
0
 
sunnyc7Commented:
Hows it going ?
0
 
scopeorthoAuthor Commented:
Have not had a chance to get on this had some network issues to attend to on Friday.  And took a well needed 3 day off!  getting to it today.  will let you know.
0
 
scopeorthoAuthor Commented:
I ran the setsendaspermission.exe utility on my own account and the Tracy Peters account:

C:\>setsendaspermission -a besadmin -u dmartinez@scop.net
Set the Send As Permission in Active Directory tool Version 4.1.2.14
Copyright (c) Research In Motion, Ltd. 2000-2007. All rights reserved.
Modification date: Mar  9 2007

[20000] (09:19:45.966):{0x1980} SMTP address: dmartinez@scop.net
[20000] (09:19:46.437):{0x1980} SUCCESS

C:\>setsendaspermission -a besadmin -u tpeters@scop.net
Set the Send As Permission in Active Directory tool Version 4.1.2.14
Copyright (c) Research In Motion, Ltd. 2000-2007. All rights reserved.
Modification date: Mar  9 2007

[20000] (09:19:54.870):{0x19A0} SMTP address: tpeters@scop.net
[20000] (09:19:55.260):{0x19A0} SUCCESS

and I still get the same thing on the iemstest.exe...

D:\tools>iemstest.exe
BlackBerry Enterprise Server Utility - IEMSTest.exe (IExchangeManageStore), Vers
ion 1.0
Copyright (c) Research In Motion, Ltd. 1999. All rights reserved.
Opening Default Message Store Mailbox - BESAdmin

Tracy Peters: Opening message store using
        /o=SCOPe/ou=First Administrative Group/cn=Recipients/cn=tpeters
        /o=SCOPe/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configura
tion/cn=Servers/cn=EXCHSRV2K7/cn=Microsoft Private MDB
Tracy Peters: Mailbox opened successfully
Tracy Peters: Root Folder opened successfully
Tracy Peters: Folder created successfully
Tracy Peters: Test folder deleted successfully
Tracy Peters: MAPI test completed successfully
Tracy Peters: CDO Server Name: EXCHSRV2K7
Tracy Peters: CDO Mailbox DN: /o=SCOPe/ou=First Administrative Group/cn=Recipien
ts/cn=tpeters
Tracy Peters: CDO logon successful
Tracy Peters: Get default calendar folder successful
Tracy Peters: Get calendar folder name successful: 'Calendar'
Tracy Peters: CDO test completed successfully
Tracy Peters: No Send As permission for the {SCOPE\besadmin} account operator.
Tracy Peters: Initializing EWS Proxy... successful
Tracy Peters: Configuring User... successful
Tracy Peters: EWS calendar find request... failed


I finished the installation of the Blackberry Enterprise express Server setup...  I am just about to start reading the Admin Guide, I have the slightest clue on how to use this...  But in the Installation and Configuration Guide states to run this before completing the installation (page 20).
0
 
sunnyc7Commented:
Can you check this

Open Active Directory Users & Computers
Enable Advanced Features in AD (View, Advanced Features)
Double-click (open) your BESAdmin user
Security tab

See if you have send as / receive as perm's in AD
--
do not run dsacls first before confirming that

source:
http://www.waldrondigital.com/2010/03/04/cannot-activate-user-in-bes-express-iemstest-exe-fails-with-send-as-account-operator-error/
0
 
scopeorthoAuthor Commented:
sunnyc7, first let me say thanks for helping me out,  I thought the Send As permission had to be on the object that you were going to have your besadmin send on behalf of... No I do not have the BESadmin account with send As permission.  See attached pictures.  What account in the ACL list to I add?  I add besadmin to the besadmin object???

0
 
sunnyc7Commented:
no pictures here :(

please repost.
0
 
scopeorthoAuthor Commented:
here is the picture of the ACL list on the besadmin object
ACL.bmp
0
 
scopeorthoAuthor Commented:
I believe I am stuck in the deployment process.  I tried to assciate a device with my account a BlackBerry Bold phone via the BlackBerry Web Desktop Manager and all i get is: "The BlackBerry Web Desktop Manager is unable to complete this action. Please contact your administrator for more information."  I went to look at the RIM Logs and in the BES_CALH log shows this for my account:  

[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Service::TestAccessToMailbox Soap Exception caught: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Diagnosis: The BES service account does not have impersonation rights on the CAS server.
[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Please consult the BES installation guide for Exchange Server configuration information.

I think I need to get the Send As working for my account so I can get it to work.  Any help or input would be greatful!
0
 
sunnyc7Commented:
try this

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity besadmin ¦ select-object).identity -ExtendedRights Send-As

see if it works
0
 
scopeorthoAuthor Commented:
sunnyc7

Here is the result:

[PS] C:\>Add-ADPermission -Identity "CN=EXCHSRV2K7,CN=Servers,CN=Exchange Admin
strative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SCOPe,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=scope,DC=local"  -User besadmin -Exten
edRights Send-As
WARNING: Appropriate ACE is already present on object
"CN=EXCHSRV2K7,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SCOPe,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=scope,DC=local" for account
"SCOPE\BESAdmin".

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
EXCHSRV2K7           SCOPE\BESAdmin       False False     Send-As

It stated that it is already there...
0
 
sunnyc7Commented:
ok
the error said the server cannot impersonate.

[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Service::TestAccessToMailbox Soap Exception caught: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Diagnosis: The BES service account does not have impersonation rights on the CAS server.

and when you ran the impersonation cmdlet it says its already there.

Let me think through this.

PS: when did you last restart the server.
0
 
scopeorthoAuthor Commented:
I restarted the Exchange Server last night.  And I just rebooted the BESX right now as you just posted your last remark.  I am going to wait the recomended 20 minutes and see if it works again.  Will post with results.
0
 
sunnyc7Commented:
ok
0
 
scopeorthoAuthor Commented:
Still the same result on the iemstest.exe  "No Send As permission for the SCOPE\besadmin account operator...  Any input would be greatly appreciated...
0
 
scopeorthoAuthor Commented:
C:\>setsendaspermission.exe -a besadmin -u dmartinez@scop.net
Set the Send As Permission in Active Directory tool Version 4.1.2.14
Copyright (c) Research In Motion, Ltd. 2000-2007. All rights reserved.
Modification date: Mar  9 2007

[20000] (08:33:09.629):{0x09EC} SMTP address: dmartinez@scop.net
[20000] (08:33:10.120):{0x09EC} SUCCESS
0
 
scopeorthoAuthor Commented:
D:\tools>iemstest.exe
BlackBerry Enterprise Server Utility - IEMSTest.exe (IExchangeManageStore), Ver
ion 1.0
Copyright (c) Research In Motion, Ltd. 1999. All rights reserved.
Opening Default Message Store Mailbox - BESAdmin

Dennis Martinez: Opening message store using
        /o=SCOPe/ou=First Administrative Group/cn=Recipients/cn=dmartinez
        /o=SCOPe/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configur
tion/cn=Servers/cn=EXCHSRV2K7/cn=Microsoft Private MDB
Dennis Martinez: Mailbox opened successfully
Dennis Martinez: Root Folder opened successfully
Dennis Martinez: Folder created successfully
Dennis Martinez: Test folder deleted successfully
Dennis Martinez: MAPI test completed successfully
Dennis Martinez: CDO Server Name: EXCHSRV2K7
Dennis Martinez: CDO Mailbox DN: /o=SCOPe/ou=First Administrative Group/cn=Reci
ients/cn=dmartinez
Dennis Martinez: CDO logon successful
Dennis Martinez: Get default calendar folder successful
Dennis Martinez: Get calendar folder name successful: 'Calendar'
Dennis Martinez: CDO test completed successfully
Dennis Martinez: No Send As permission for the {SCOPE\besadmin} account operato
.
Dennis Martinez: Initializing EWS Proxy... successful
Dennis Martinez: Configuring User... successful
Dennis Martinez: EWS calendar find request... failed
0
 
sunnyc7Commented:
did it work ?

can you try
iemstest.exe
0
 
scopeorthoAuthor Commented:
Still failed...
0
 
sunnyc7Commented:
Can you try this

for the besadmin account - check the user is a member of which groups in AD ?
Can you keep it to - just Administrators / Domain Admins and domain users

Remove all other memberships please.

and lets try again.

thanks
0
 
sunnyc7Commented:
Also
Do you have the latest MAPI/CDO for BES ?
What version of MAPI/CDO are you running right now ?
0
 
scopeorthoAuthor Commented:
Version 6.5.8165.0
0
 
scopeorthoAuthor Commented:
But it says Messaging API and Collaboration Data Object 1.2.1
0
 
scopeorthoAuthor Commented:
Sunnyc7

I do appreciate all the help you have given me.  We just had our semi-annual Marketing meeting and we all decided to go with DroidX as their mobile devices and will move away from Blackberries so no need for BESX.  So we can forget about this issue!   Quick question based what you have seen throughout this thread do you believe it was something I missed on the setup or is this some wierd issue.  I did find tha my account is part of the Enterprise Admin so the AdminSDHolder issue does effect my accont but the regular test account of Tracy Peters is just part of the Domain Users Account and the BESAdmin still has the Send As permission but the iemstest.exe still states that it does not have Send As permission.  Anyways thanks for all the help
0
 
sunnyc7Commented:
its a weird issue.
blackberry had a separate support page dedicated to send as issues
http://na.blackberry.com/eng/support/software/sendasfaq.jsp

The only thing which comes to my mind from there = stop blackberry router for 20 mins from the faq above to clear the cached admin account permissions.

0
 
scopeorthoAuthor Commented:
Well believe me I am relieved that we will now go with AES and not BES! But I will accept your last input as a possible solution...
0
 
scopeorthoAuthor Commented:
Did not actually resolve our issue but can direct admins to the right direction.
0
 
scopeorthoAuthor Commented:
We went with AES devices and did not go with deploying BESX
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 19
  • 13
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now