Link to home
Start Free TrialLog in
Avatar of rerard
rerardFlag for United States of America

asked on

Why is full access required for webdav calls?

Can anyone shed some light on permissions required for a service account to access mailboxes in Exchange using either WebDav or EWS?

We have an application which needs to read mailboxes using a service account and the only combination which seems to work is to allow "FullAccess" at the Mailbox level to the AD Account we are using to connect via WebDav or EWS.

Apparently there is no way to do a ReadOnly access via WebDav or EWS?

I have read on several forums that this is just the way it is, I'm fine with that but does anyone know why?  If I could give clients a good explanation or even point them to some official documentation from M$ that would be much better than them just having to take my word for it.

Avatar of LeeDerbyshire
LeeDerbyshire
Flag of United Kingdom of Great Britain and Northern Ireland image

This is a bit of a guess (I've done lots of WebDAV coding, but never for a service account, so I have never encountered the full access requirement), but it may be because even when you are just reading something, this occasionally results in a change within the mailbox.  For instance, getting an email could result in it being marked as Read.  Or, some server-side rules may be invoked.  But, like I say, this is just a guess.

Are you sure that your service account really does need full access?  What kind of reponse are you getting without it?
Avatar of rerard

ASKER

It's been a while but I believe we were getting a 401.

I found on a forum that the search creates a temporary folder in the mailbox.
I'd be surprised if it did something as big as that.  But not completely.  Do you still know where the forum post can be found?

But a 401 is fairly conclusive.  There are several types of 401 (IP address restriction, unknown mime type, scripting handler not installed on the server), but to get a 401 when the same code works with full access does seem to point to permissions.

If you are thinking that it is a lot of work to give the account full access to each mailbox individually, there is probably a simpler way of doing it.

You also need to be sure of where you are directing the searches to.  If the account only has permissions on a particular folder, you will not, of course, be able to access items in the mailbox root, or even list the folders.
Avatar of rerard

ASKER

This is the post:

http://forums.msexchange.org/m_1800541603/mpage_1/key_/tm.htm#1800541603

The work associated with setting up the permissions is not the issue.  The problem is that our application reports on email activity, and from a layman standpoint should only need read-only.  So sometimes a client will make a big deal about giving us full access ( I don't blame them ).
ASKER CERTIFIED SOLUTION
Avatar of LeeDerbyshire
LeeDerbyshire
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rerard

ASKER

We deal with 2003, 2007, and 2010.  So we have to support both WebDav and EWS.  It seems so far to be a bigger issue with Webdav but unfortunately that is the only option for 2003.  
Did you try asking the question in the MS Exchange Technet developers forum?  There aren't many Exchange coders here on EE.