• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 517
  • Last Modified:

Why is full access required for webdav calls?

Can anyone shed some light on permissions required for a service account to access mailboxes in Exchange using either WebDav or EWS?

We have an application which needs to read mailboxes using a service account and the only combination which seems to work is to allow "FullAccess" at the Mailbox level to the AD Account we are using to connect via WebDav or EWS.

Apparently there is no way to do a ReadOnly access via WebDav or EWS?

I have read on several forums that this is just the way it is, I'm fine with that but does anyone know why?  If I could give clients a good explanation or even point them to some official documentation from M$ that would be much better than them just having to take my word for it.

0
rerard
Asked:
rerard
  • 4
  • 3
1 Solution
 
LeeDerbyshireCommented:
This is a bit of a guess (I've done lots of WebDAV coding, but never for a service account, so I have never encountered the full access requirement), but it may be because even when you are just reading something, this occasionally results in a change within the mailbox.  For instance, getting an email could result in it being marked as Read.  Or, some server-side rules may be invoked.  But, like I say, this is just a guess.

Are you sure that your service account really does need full access?  What kind of reponse are you getting without it?
0
 
rerardAuthor Commented:
It's been a while but I believe we were getting a 401.

I found on a forum that the search creates a temporary folder in the mailbox.
0
 
LeeDerbyshireCommented:
I'd be surprised if it did something as big as that.  But not completely.  Do you still know where the forum post can be found?

But a 401 is fairly conclusive.  There are several types of 401 (IP address restriction, unknown mime type, scripting handler not installed on the server), but to get a 401 when the same code works with full access does seem to point to permissions.

If you are thinking that it is a lot of work to give the account full access to each mailbox individually, there is probably a simpler way of doing it.

You also need to be sure of where you are directing the searches to.  If the account only has permissions on a particular folder, you will not, of course, be able to access items in the mailbox root, or even list the folders.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
rerardAuthor Commented:
This is the post:

http://forums.msexchange.org/m_1800541603/mpage_1/key_/tm.htm#1800541603

The work associated with setting up the permissions is not the issue.  The problem is that our application reports on email activity, and from a layman standpoint should only need read-only.  So sometimes a client will make a big deal about giving us full access ( I don't blame them ).
0
 
LeeDerbyshireCommented:
Since you are asking about both WebDAV and EWS, i assume you are working with Exchange 2007?
This article suggests that you can use delegate access (which is rather more than read-only, but not full access), but does not say whether or not there is such a thing a read-only access:
http://msdn.microsoft.com/en-us/library/bb655860(v=exchg.80).aspx
0
 
rerardAuthor Commented:
We deal with 2003, 2007, and 2010.  So we have to support both WebDav and EWS.  It seems so far to be a bigger issue with Webdav but unfortunately that is the only option for 2003.  
0
 
LeeDerbyshireCommented:
Did you try asking the question in the MS Exchange Technet developers forum?  There aren't many Exchange coders here on EE.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now