Recently I worked on interesting issue of Project Server 2010 and Exchange integration.

Where customer has three exchange CAS servers (two Exchange 2010 servers and one exchange 2007 server)

We followed   Configure Project Server 2010 to work with Exchange Server 2010 and Configure Project Server 2010 to work with Exchange Server 2007 R2

But still we were getting following Impersonation errors in event log.

PSError: GeneralExchangeSyncError (40500) System.Web.Services.Protocols.SoapException: The account does not have permission to impersonate the requested user.

clip_image002

After deep drill we understand due to new RBAC concept in exchange server 2010, first we need to use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization. (Only in the case of Exchange 2010)

 

To configure Exchange Impersonation for all users in an organization


  1. Open the Exchange Management Shell.

  2. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount

 

To configure Exchange Impersonation for specific users or groups of users


  1. Open the Exchange Management Shell.

  2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.

New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter

  1. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all users in a scope.

New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount -CustomRecipientWriteScope:scopeName

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "John."

Name -eq 'John'

Taken from Configuring Exchange Impersonation

 

Once it is done then we followed our Configure Project Server 2010 to work with Exchange Server 2010 article BUT  according to above document

 

At the prompt, type the following command:

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity <AppPoolAccount> | select-object).identity -extendedRights ms-Exch-EPI-Impersonation

<AppPoolAccount> is the application pool account for the Project Server service application noted in the previous procedure.

This would probably work fine in an environment with one Exchange server, but in the event you have more than one Exchange server the “Get-ExchangeServer” cmdlet would return an array of servers, causing the command to fail with “Cannot bind argument to parameter ‘Identity’ because it is null.”

clip_image004

To fix this the command will have to be run against every server running the Client Access Role. One way of doing this is to use the following PowerShell commands in the EMS:

 

$CAS = get-exchangeserver | where { $_.ServerRole -match "ClientAccess" }

$CAS | foreach-object {Add-ADPermission -Identity $_.DistinguishedName -User (Get-User -Identity DOMAIN\AppPoolAccount | select-object).identity -extendedRights ms-Exch-EPI-Impersonation}

clip_image006

Then we executed second command to configure exchange user

At the prompt, type the following command:

Add-ADPermission -Identity "<ProjUser>" -User <FarmAdministrator> -extendedRights ms-Exch-EPI-May-Impersonate

<ProjUser> is the name of the Project Server user whom you are configuring, and <FarmAdministrator> is the SharePoint Server farm administrator account.

clip_image008

Then we are successfully able to integrate Project Server 2010 with Exchange Server 2010/2007 without any errors and we are able to pull tasks in Outlook and update the assignments from Outlook to Project Server 2010

So in a nutshell just remember to use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization. (Only in the case of Exchange 2010)

And in the case of multiple exchange CAS servers use above script to bypass the “Cannot bind argument to parameter ‘Identity’ because it is null.” Error.