EWS Impersonation in Hybrid Environment - Cant find user in Office365

I have some Code on our Intranet that Syncs Employee contacts with the Users Outlook Contacts.

The code has been working great for On-Premise users for years. I am testing the Migration of users to O365. When The user used the code below while still residing in the On-Premise server it works great.  After the Migration the code fails with 'Object reference not set to an instance of an object.' Though I'm still working with the WebTeam on what line the Error is coming from.

When using EWS what is the Flow for how it knows where the mailbox resides?  It would be great if there was Minimal Change to the Code.

I have converted other code that accesses the Office 365 Server Directly through EWS, though I would assume it would have an issue finding an On-Premise Mailbox.

Thanks,
  Scott<-

        Private Const ExchangeURL As String = "https://On-PremiseServer/EWS/Exchange.asmx"
        Private Const ExchangeUserName As String = "UserWithImpersonationRights"
        Private Const ExchangePassword As String = "UserPassword"
        Private Const ExchangeDomain As String = "AD-Domain"



        Private Function GetEWSConnection(ByVal UserEmailAddress As String) As ExchangeService
            Static EWS As ExchangeService = Nothing
            Static LastUserEmailAddress As String = String.Empty
            If UserEmailAddress <> LastUserEmailAddress Then EWS = Nothing
            If EWS Is Nothing Then
                EWS = New ExchangeService(ExchangeVersion.Exchange2010_SP1)

                '**********************************************************************************************
                'Dim listener As New ExchangeTraceListener
                'EWS.TraceListener = listener
                'EWS.TraceFlags = TraceFlags.EwsRequest Or TraceFlags.EwsResponse Or TraceFlags.DebugMessage
                'EWS.TraceEnabled = True
                '**********************************************************************************************

                EWS.Credentials = New WebCredentials(ExchangeUserName, ExchangePassword, ExchangeDomain)
                EWS.Url = New Uri(ExchangeURL)
                ServicePointManager.ServerCertificateValidationCallback = AddressOf CertificateValidationCallback
                EWS.ImpersonatedUserId = New ImpersonatedUserId(ConnectingIdType.SmtpAddress, UserEmailAddress)
            End If
            Return EWS
        End Function



        Private Shared Function CertificateValidationCallback(sender As Object, certificate As X509Certificate, chain As X509Chain, sslPolicyErrors As SslPolicyErrors) As Boolean
            If sslPolicyErrors = Security.SslPolicyErrors.None Then
                Return True
            End If
            Return False
        End Function

Open in new window

LVL 3
Scott TownsendIT DirectorAsked:
Who is Participating?
 
Sunil ChauhanConnect With a Mentor Expertise in Exchange Server, Office 365 & Powershell ScriptingCommented:
try using autodiscovery method to get the EWS URL that way it will automatically connect to 365 if the user mailbox is migrated.
0
 
Scott TownsendConnect With a Mentor IT DirectorAuthor Commented:
I have AutoDiscovery working, thank you.

Now when I try and impersonate a Office 365 User I get an Error.
{"The account does not have permission to impersonate the requested user."}

I have Added the user I'm connecting as the ApplicationImpersonation Role on the Office 365 Server using EAC from:
https://www.codetwo.com/kb/how-to-set-impersonation-rights-manually/

and via Powershell from:
https://help.bittitan.com/hc/en-us/articles/115008098447-The-account-does-not-have-permission-to-impersonate-the-requested-user

If I impersonate an On-Premise User it connects fine. Its only with users that I have already Migrated to Office 365.
0
 
Sunil ChauhanExpertise in Exchange Server, Office 365 & Powershell ScriptingCommented:
make sure when its identified that the user is O365, then your o365 admin account with application impersonation rights is passed to EWS service for authentication.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Scott TownsendIT DirectorAuthor Commented:
I think I was impatient. After doing both of the above, I tried my code and it was saying I still didn't have Impersonation rights.   Asked a co-worker to look at my code 10 minutes later to show him the issue and where it was failing and it didn't fail. So it must of taken some time to replication the permissions to whichever server that EWS was connecting to.

Thank you!
0
 
Scott TownsendIT DirectorAuthor Commented:
After using AutoDiscovery and setting the impersonation permissions I was good to go...
0
 
Scott TownsendIT DirectorAuthor Commented:
For anyone interested here is my Sample code to read the subject of the first item in a mailbox that is either hosted or on-premise.

Option Strict On
Option Explicit On


Imports System.Net
Imports System.Net.Security
Imports System.Security.Cryptography.X509Certificates
Imports Microsoft.Exchange.WebServices.Data
Imports Microsoft.Exchange.WebServices.Autodiscover
Imports System.Xml


Public Class Form1
    Private EWS As ExchangeService = Nothing

    Private Const strO365ADURL As String = "https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml"
    Private Const strOPADURL As String = "https://<yourOn-PremMailServer>.com/autodiscover/autodiscover.xml"

    Private Sub SetupEWS()
        'Clear out the URL and Status
        tbEWSURL.Text = ""
        tbConnectionStatus.Text = ""

        ' Set the Version of Exchange to the ON-PRemise Server version
        EWS = New ExchangeService(ExchangeVersion.Exchange2010_SP2)
        'Set our User Credentials
        EWS.Credentials = New WebCredentials(tbEWSUserName.Text, tbEWSPassword.Text)
        'Use AutoDiscover to find the Connection URL for the mailbox we are looking at accessing. 
        tbConnectionStatus.Text = "Attempting Audiscover for user:" + tbEWSImpersonationUser.Text.ToString
        tbEWSURL.Text = ""
        Cursor = Cursors.WaitCursor
        Try
            EWS.AutodiscoverUrl(tbEWSImpersonationUser.Text, AddressOf AutoDiscoverURLValidationCallback)
            Cursor = Cursors.Default
            tbEWSURL.Text = EWS.Url.ToString
            'If there is some funniness with the SSL on the Connection Set our CertificateValidationCallback, We dont care about Warnings vs Errors.
            ServicePointManager.ServerCertificateValidationCallback = AddressOf CertificateValidationCallback
            'Let the EWS Connection know we want to access someone elses mailbox
            EWS.ImpersonatedUserId = New ImpersonatedUserId(ConnectingIdType.SmtpAddress, tbEWSImpersonationUser.Text)

        Catch ex As Exception When TypeOf ex Is AutodiscoverRemoteException OrElse TypeOf ex Is AutodiscoverLocalException
            Dim strErrorMessage As String = ""
            If ex.GetType = GetType(AutodiscoverRemoteException) Then
                'Handle exception type AutodiscoverRemoteException
                strErrorMessage = DirectCast(ex, AutodiscoverRemoteException).Error.Message
            ElseIf ex.GetType = GetType(AutodiscoverLocalException) Then
                'Handle exception type AutodiscoverLocalException
                strErrorMessage = DirectCast(ex, AutodiscoverLocalException).Message + " Could Not Connect to AutoDiscover URL!"
            End If


            'MsgBox("Exception thrown: " + strErrorMessage, MsgBoxStyle.Exclamation, "Autodiscover service Error")
            tbConnectionStatus.Text = strErrorMessage
            tbEWSURL.Text = ""
            Cursor = Cursors.Default
        End Try

    End Sub
    ' See if there was just a SSL Warning vs an Error. If only a Warning (Self Signed)  and no Errors then return True
    Private Shared Function CertificateValidationCallback(sender As Object, certificate As X509Certificate, chain As X509Chain, sslPolicyErrors As SslPolicyErrors) As Boolean
        Dim bSSLNoError As Boolean = False
        If sslPolicyErrors = Security.SslPolicyErrors.None Then
            bSSLNoError = True
        End If
        Return bSSLNoError
    End Function

    ' Be sure we are talking to whom we think we should be asking for the EWS URL
    ' We should get an O365 URL or a On-Premise URL
    Private Shared Function AutoDiscoverURLValidationCallback(url As String) As Boolean
        Dim bURLOk As Boolean = False
        If url.ToLower().StartsWith(strO365ADURL) Or url.ToLower().StartsWith(strOPADURL) Then
            bURLOk = True
        End If
        Return bURLOk
    End Function

    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
        SetupEWS()

    End Sub

    Private Sub btnGetEmail_Click(sender As Object, e As EventArgs) Handles btnGetEmail.Click

        Dim inboxItems As FindItemsResults(Of Item)
        ' Create a view with a page size of 1.
        Dim view As New ItemView(1)
        view.PageSize = 1
        'Identify the Subject and DateTimeReceived properties to return.
        'Indicate that the base property will be the item identifier
        view.PropertySet = (New PropertySet(BasePropertySet.IdOnly, ItemSchema.Subject))

        ' Send the request to search the Inbox and get the results.
        inboxItems = EWS.FindItems(WellKnownFolderName.Inbox, view)

        ' Process each item.
        For Each item As Item In inboxItems.Items
            If TypeOf item Is EmailMessage Then
                tbEmailSubject.Text = TryCast(item, EmailMessage).Subject.ToString
            Else
                ' Else handle other item types.
            End If
        Next
    End Sub
End Class

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.