FYI: Exchange Management Shell Blocks Calls Made With Impersonated Credentials

  • Comments 2

We are working to get official public documentation on this subject, I will update this post once we get a KB published...

When you try to execute Exchange Powershell cmdlets from an application which is impersonating a user.  You get the following error:

"Access to the address list service on all Exchange 2007 servers has been denied"

Exchange Management Shell currently (Exchagen 2007 RTM) actively blocks calls made with impersonated credentails.

This is typically seen in an ASP.NET application which impersonates the client's user credentials and attempts call an Exchange Powershell cmdlet such as New-Mailbox.

You will need to execute Exchange cmdlets inside another process running with evelated permissions.  You can use COM+ or .NET Remoting to accomplish this.

Understanding Enterprise Services (COM+) in .NET

.NET Framework Remoting Overview

More Information
This is very similar to limitations with CDOEXM and impersonation in Exchange 2000 and 2003.  As seen in the following KB article:

Recommendations for using Exchange system management features through a Web interface that uses CDO for Exchange Management

This works now, Dan has the update

Page 1 of 1 (2 items)