Solved

Why is full access required for webdav calls?

Posted on 2011-03-10
7
498 Views
Last Modified: 2013-12-06
Can anyone shed some light on permissions required for a service account to access mailboxes in Exchange using either WebDav or EWS?

We have an application which needs to read mailboxes using a service account and the only combination which seems to work is to allow "FullAccess" at the Mailbox level to the AD Account we are using to connect via WebDav or EWS.

Apparently there is no way to do a ReadOnly access via WebDav or EWS?

I have read on several forums that this is just the way it is, I'm fine with that but does anyone know why?  If I could give clients a good explanation or even point them to some official documentation from M$ that would be much better than them just having to take my word for it.

0
Comment
Question by:rerard
  • 4
  • 3
7 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
This is a bit of a guess (I've done lots of WebDAV coding, but never for a service account, so I have never encountered the full access requirement), but it may be because even when you are just reading something, this occasionally results in a change within the mailbox.  For instance, getting an email could result in it being marked as Read.  Or, some server-side rules may be invoked.  But, like I say, this is just a guess.

Are you sure that your service account really does need full access?  What kind of reponse are you getting without it?
0
 
LVL 1

Author Comment

by:rerard
Comment Utility
It's been a while but I believe we were getting a 401.

I found on a forum that the search creates a temporary folder in the mailbox.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
I'd be surprised if it did something as big as that.  But not completely.  Do you still know where the forum post can be found?

But a 401 is fairly conclusive.  There are several types of 401 (IP address restriction, unknown mime type, scripting handler not installed on the server), but to get a 401 when the same code works with full access does seem to point to permissions.

If you are thinking that it is a lot of work to give the account full access to each mailbox individually, there is probably a simpler way of doing it.

You also need to be sure of where you are directing the searches to.  If the account only has permissions on a particular folder, you will not, of course, be able to access items in the mailbox root, or even list the folders.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:rerard
Comment Utility
This is the post:

http://forums.msexchange.org/m_1800541603/mpage_1/key_/tm.htm#1800541603

The work associated with setting up the permissions is not the issue.  The problem is that our application reports on email activity, and from a layman standpoint should only need read-only.  So sometimes a client will make a big deal about giving us full access ( I don't blame them ).
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
Comment Utility
Since you are asking about both WebDAV and EWS, i assume you are working with Exchange 2007?
This article suggests that you can use delegate access (which is rather more than read-only, but not full access), but does not say whether or not there is such a thing a read-only access:
http://msdn.microsoft.com/en-us/library/bb655860(v=exchg.80).aspx
0
 
LVL 1

Author Comment

by:rerard
Comment Utility
We deal with 2003, 2007, and 2010.  So we have to support both WebDav and EWS.  It seems so far to be a bigger issue with Webdav but unfortunately that is the only option for 2003.  
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
Comment Utility
Did you try asking the question in the MS Exchange Technet developers forum?  There aren't many Exchange coders here on EE.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now