"The account does not have permission to impersonate the requested user" error

Copper Contributor

Hi,

Last week we're started to get "The account does not have permission to impersonate the requested user' error on the customer accounts that were working perfectly up to last week.

When, for example customer with 100 accounts that impersonated by 1 service account, we see each day errors for different impersonated accounts. 

Talking with support on behalf of the customer didn't provided any help. Their answers as usual.

While doing more research we're found that if doing 2 accounts impersonating in parallel (even from different servers) we get this error, and when doing 2 or even more accounts impersonating serial, everything is working fine.

I'm afraid that MS has a bug in their permissions checking mechanism while trying to impersonate more than 1 account in parallel.

MS Exchange engineers, can you please check this ? Your customer supports is lacks of willing to assist. 

Thanks

7 Replies
Not sure if this is a bug or you have hit a limit in terms of the number of impersonations that are possible for a specific account. I also recommend to open a support ticket explaining this problem because I think the Exchange Online Team might not see this thread

Well, if 2 accounts in parallel is hitting the limit :) than it's very sad.

There's a ticket within MS Support, but seems to be totally useless.

@SlavaGDid you ever find out why this happend or even resolved this? Currently we have the same problem for one customer using O365 Exchange, but we've got no clue why some users can be impersonated and some cannot. There are no management scopes set limiting the impersonated users on the impersonation role.

@alex3683 Hi,

Please check those accounts that can't be impersonated, most likely they're unlicensed.
This was a reason in our case.

@alex3683 We had exactly the same problem. The solution was to use the X-AnchorMailbox header. More information is here: 

https://blogs.msdn.microsoft.com/webdav_101/2015/05/11/best-practices-ews-authentication-and-access-...

 

"When EWS Impersonation is used the X-AnchorMailbox always should be correctly set.  Without doing so you may get 500 or 503 errors at times. It is critical for performance and also for notifications with Exchange Online/Exchange 2013.  Not setting it can double or more the time it takes to complete the call. In some cases you can also get timeouts.  The rule is to always set this header when using impersonation - this will make your EWS Impersonated code from Exchange 2007 work better with Exchange 2013."

@stevereinhold  @SlavaG Thanks for your replies. I'll try your solutions and let you (and further visitors) know if that worked out.

@stevereinhold @SlavaG Thank you both for your help. In the end it was really the missing X-AnchorMailbox header that resolved the issue for us. A pity that this isn't set by default in the EWS API when using impersonation with an email address.