Solved

Why is full access required for webdav calls?

Posted on 2011-03-10
7
513 Views
Last Modified: 2013-12-06
Can anyone shed some light on permissions required for a service account to access mailboxes in Exchange using either WebDav or EWS?

We have an application which needs to read mailboxes using a service account and the only combination which seems to work is to allow "FullAccess" at the Mailbox level to the AD Account we are using to connect via WebDav or EWS.

Apparently there is no way to do a ReadOnly access via WebDav or EWS?

I have read on several forums that this is just the way it is, I'm fine with that but does anyone know why?  If I could give clients a good explanation or even point them to some official documentation from M$ that would be much better than them just having to take my word for it.

0
Comment
Question by:rerard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 35109736
This is a bit of a guess (I've done lots of WebDAV coding, but never for a service account, so I have never encountered the full access requirement), but it may be because even when you are just reading something, this occasionally results in a change within the mailbox.  For instance, getting an email could result in it being marked as Read.  Or, some server-side rules may be invoked.  But, like I say, this is just a guess.

Are you sure that your service account really does need full access?  What kind of reponse are you getting without it?
0
 
LVL 1

Author Comment

by:rerard
ID: 35110640
It's been a while but I believe we were getting a 401.

I found on a forum that the search creates a temporary folder in the mailbox.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 35111570
I'd be surprised if it did something as big as that.  But not completely.  Do you still know where the forum post can be found?

But a 401 is fairly conclusive.  There are several types of 401 (IP address restriction, unknown mime type, scripting handler not installed on the server), but to get a 401 when the same code works with full access does seem to point to permissions.

If you are thinking that it is a lot of work to give the account full access to each mailbox individually, there is probably a simpler way of doing it.

You also need to be sure of where you are directing the searches to.  If the account only has permissions on a particular folder, you will not, of course, be able to access items in the mailbox root, or even list the folders.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:rerard
ID: 35111661
This is the post:

http://forums.msexchange.org/m_1800541603/mpage_1/key_/tm.htm#1800541603

The work associated with setting up the permissions is not the issue.  The problem is that our application reports on email activity, and from a layman standpoint should only need read-only.  So sometimes a client will make a big deal about giving us full access ( I don't blame them ).
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
ID: 35128563
Since you are asking about both WebDAV and EWS, i assume you are working with Exchange 2007?
This article suggests that you can use delegate access (which is rather more than read-only, but not full access), but does not say whether or not there is such a thing a read-only access:
http://msdn.microsoft.com/en-us/library/bb655860(v=exchg.80).aspx
0
 
LVL 1

Author Comment

by:rerard
ID: 35129727
We deal with 2003, 2007, and 2010.  So we have to support both WebDav and EWS.  It seems so far to be a bigger issue with Webdav but unfortunately that is the only option for 2003.  
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 35130140
Did you try asking the question in the MS Exchange Technet developers forum?  There aren't many Exchange coders here on EE.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question