Configure Exchange Server 2010 Impersonation
Published: June 24, 2010
This article describes how to configure Exchange Server Impersonation when you configure the integration of Microsoft Project Server 2010 in a Microsoft Exchange Server 2010 environment that has more than one computer that is running Exchange Server.
Configuring Exchange Impersonation is a resolution to the event log error
PSError: GeneralExchangeSyncError (40500) System.Web.Services.Protocols.SoapException: The account does not have permission to impersonate the requested user.
In order to perform these procedures, you must be a member of the Project Server and Exchange Server administrator groups on the local computer.
The procedures and Windows PowerShell commands in this article assume that you are using Exchange Server 2010.
Exchange Synchronization to Project Server does not work on a Project Server 2010 deployment configured to use claims authentication.
Configure Exchange Impersonation for all users in an organization
Because Microsoft Exchange Server 2010 uses the Role Based Access Control permissions model, you must first assign the ApplicationImpersonation role to Project Server users in the organization by using the New-ManagementRoleAssignment command in the Exchange Management Shell.
To configure Exchange Impersonation for all users in an organization
Open the Exchange Management Shell.
Run the New-ManagementRoleAssignment command to add the permission to impersonate the specified user. The following example details how to configure Exchange Impersonation to enable a service account to impersonate all other users in an organization.
New-ManagementRoleAssignment -Name <impersonationAssigmentName> -Role applicationImpersonation -User <serviceAccount>
Each Exchange Client Access Server (CAS) role in an Exchange Server farm needs a user account in Microsoft Project Web App (PWA). This account allows for Exchange to call the Project Server Exchange Web service when there are task updates that have to be synchronized. Perform the following procedure for each Exchange Client Access server.
Configure Exchange Impersonation for specific users or groups of users
Whether for policy or even size of the Exchange Server deployment, you might have to configure Exchange Server impersonation only for specific users or groups. This can be achieved by creating a new management scope for the Exchange Role Based Access Control permissions.
To configure Exchange Impersonation for specific users or groups of users
Open the Exchange Management Shell.
Run the New-ManagementScope command to create a scope to which the impersonation role can be assigned.
The following example shows how to create a management scope for a specific group.
New-ManagementScope -Name <scopeName> -RecipientRestrictionFilter <recipientFilter>
Run the New-ManagementRoleAssignment command to add the permission to impersonate the members of the specified scope. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all users in a scope.
New-ManagementRoleAssignment -Name <impersonationAssignmentName> -Role <ApplicationImpersonation> -User <serviceAccount> -CustomRecipientWriteScope <scopeName>
The RecipientRestrictionFilter parameter of the New-ManagementScope command defines the members of the scope. You can use properties of the identity object to create the filter.
After impersonation permissions have been established, the user who has impersonation permissions can make calls against the other user's account. For information about how to use Exchange Impersonation in an Exchange Web Services request, see Configuring Exchange Impersonation (http://go.microsoft.com/fwlink/p/?LinkId=195376) in the MSDN Library Online.