Solved

Why is full access required for webdav calls?

Posted on 2011-03-10
7
505 Views
Last Modified: 2013-12-06
Can anyone shed some light on permissions required for a service account to access mailboxes in Exchange using either WebDav or EWS?

We have an application which needs to read mailboxes using a service account and the only combination which seems to work is to allow "FullAccess" at the Mailbox level to the AD Account we are using to connect via WebDav or EWS.

Apparently there is no way to do a ReadOnly access via WebDav or EWS?

I have read on several forums that this is just the way it is, I'm fine with that but does anyone know why?  If I could give clients a good explanation or even point them to some official documentation from M$ that would be much better than them just having to take my word for it.

0
Comment
Question by:rerard
  • 4
  • 3
7 Comments
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 35109736
This is a bit of a guess (I've done lots of WebDAV coding, but never for a service account, so I have never encountered the full access requirement), but it may be because even when you are just reading something, this occasionally results in a change within the mailbox.  For instance, getting an email could result in it being marked as Read.  Or, some server-side rules may be invoked.  But, like I say, this is just a guess.

Are you sure that your service account really does need full access?  What kind of reponse are you getting without it?
0
 
LVL 1

Author Comment

by:rerard
ID: 35110640
It's been a while but I believe we were getting a 401.

I found on a forum that the search creates a temporary folder in the mailbox.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 35111570
I'd be surprised if it did something as big as that.  But not completely.  Do you still know where the forum post can be found?

But a 401 is fairly conclusive.  There are several types of 401 (IP address restriction, unknown mime type, scripting handler not installed on the server), but to get a 401 when the same code works with full access does seem to point to permissions.

If you are thinking that it is a lot of work to give the account full access to each mailbox individually, there is probably a simpler way of doing it.

You also need to be sure of where you are directing the searches to.  If the account only has permissions on a particular folder, you will not, of course, be able to access items in the mailbox root, or even list the folders.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:rerard
ID: 35111661
This is the post:

http://forums.msexchange.org/m_1800541603/mpage_1/key_/tm.htm#1800541603

The work associated with setting up the permissions is not the issue.  The problem is that our application reports on email activity, and from a layman standpoint should only need read-only.  So sometimes a client will make a big deal about giving us full access ( I don't blame them ).
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 500 total points
ID: 35128563
Since you are asking about both WebDAV and EWS, i assume you are working with Exchange 2007?
This article suggests that you can use delegate access (which is rather more than read-only, but not full access), but does not say whether or not there is such a thing a read-only access:
http://msdn.microsoft.com/en-us/library/bb655860(v=exchg.80).aspx
0
 
LVL 1

Author Comment

by:rerard
ID: 35129727
We deal with 2003, 2007, and 2010.  So we have to support both WebDav and EWS.  It seems so far to be a bigger issue with Webdav but unfortunately that is the only option for 2003.  
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 35130140
Did you try asking the question in the MS Exchange Technet developers forum?  There aren't many Exchange coders here on EE.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now