I'm developing an intranet site that will use in on-premise. In corporate, users can use this site like OWA they can see their inbox, send mails etc. To achive this I use EWS Managed Api 2.2 to connect Exchange Server (2010_sp1).I am developing with ASPNet MVC 5. I am developing on my computer with IIS 10.0 installed.While I'm developing with IISExpress, there were no problem to connect with default credentials >
ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP1);
service.UseDefaultCredentials = true;
I understand that, this is because IIS Express use my credentials as default credentials so there were no error to connect service. But when I run this code with IIS on my computer(with my credentials in Application Pool Identity, using ASPNet Impersonation enabled, Windows Authentication enabled and NEGOTIATE/NTML providers) identities load correct
HttpContext.User.Identity.Name > xxx\billgates
WindowsIdentity.GetCurrent().Name> xxx\billgates
but Exchange service returns in trace these >
<Trace Tag="EwsRequestHttpHeaders" Tid="29" Time="2017-01-02 08:03:04Z">
POST /EWS/Exchange.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml
User-Agent: ExchangeServicesClient/15.00.0913.015
Accept-Encoding: gzip,deflate
</Trace>
<Trace Tag="EwsRequest" Tid="29" Time="2017-01-02 08:03:04Z" Version="15.00.0913.015">
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<t:RequestServerVersion Version="Exchange2010_SP1" />
</soap:Header>
<soap:Body>
<m:GetFolder>
<m:FolderShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:FolderShape>
<m:FolderIds>
<t:DistinguishedFolderId Id="inbox" />
</m:FolderIds>
</m:GetFolder>
</soap:Body>
</soap:Envelope>
</Trace>
<Trace Tag="EwsResponseHttpHeaders" Tid="29" Time="2017-01-02 08:03:04Z">
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET
Date: Mon, 02 Jan 2017 08:03:04 GMT
Content-Length: 0
</Trace>
When I use EWEditor(https://ewseditor.codeplex.com/) I saw there is no error with connect with default credentials and when run klist in powershell there are kerberos tickes like>
Server: krbtgt/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 1/2/2017 21:35:37 Renew Time: 1/9/2017 11:35:37
Server: krbtgt/[email protected] KerbTicket Encryption Type: Unknown (18) End Time: 1/2/2017 21:35:37 Renew Time: 1/9/2017 11:35:37
Server: HTTP/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 1/2/2017 21:35:37 Renew Time: 1/9/2017 11:35:37
Server: HTTP/[email protected] KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 1/2/2017 21:35:37 Renew Time: 1/9/2017 11:35:37
Server: HTTP/[email protected] KerbTicket Encryption Type: Unknown (18) End Time: 1/2/2017 21:35:37 Renew Time: 1/9/2017 11:35:37
Server: ldap/[email protected] KerbTicket Encryption Type: Unknown (18) End Time: 1/2/2017 21:35:37 Renew Time: 1/9/2017 11:35:37
with these tickets I assume that kerberos works, my first question is that am I right?Can I be sure that these tickets guarantee that keberos works with client access servers?
While search for this problem I saw that this problem very like double hop problem like this blog says>https://blogs.msdn.microsoft.com/dhruvkh/2012/04/15/the-double-hop-dogma/ .Actually my problem is exactly like this post. Like this post recommends I use my account as service account and add SPNS to my account and write that in Application Pool Identity in IIS
SPNs that I used
http/autodiscover.xxxxxx.xxx.xx
http/posta.xxxxxx.xxx.xx
NOTE : I am sure these SPNs not used.
After add spns I also check "Trust this computer for delegation to any service (Kerberos only)." in Delegation tab of my user account.
My other question is that like post suggest on 3. step https://technet.microsoft.com/en-us/library/ff808312(v=exchg.141).aspx should I create an Alternate Service Account instead of using my account?If I have to use ASA,should I add Alternate Service Account Credentials in IIS Application Pool Identity?
Thanks for helping.
I have been troubleshooting the same thing for a long time. Take a look at this (Unable to authenticate to ASP.NET Web Api service with HttpClient). I have modified the Aspnet.config file to no avail. From what I have read so far, it looks like System.Net.HttpWebRequest.GetResponse() is on a new thread and the impersonated credentials aren't transferred to the new object. I have set IIS authentication provider to negotiate:kerberos to make sure that delegation should/can happen.
Depending on your configuration i.e. IIS is sitting behind load balancers and a firewall, you might need a custom service account e.g. mydomain\my_service_account which will need a SPN http/my.webserver.com. However, I have this set up and it hasn't been the secret sauce that makes this work. I'm starting to think that the only way this can work is by setting up impersonation on an exchange account (https://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx). Under this plan you would call something like below when you setup the service. If the service account on IIS doesn't have the right to impersonate on the Exchange server this won't work either. Also you need to pass the identity of the service account not that of the impersonated user.
I hope that someone can provide a much better answer than this. Below is what I'm currently seeing in my trace.
9: <Trace Tag="EwsResponseHttpHeaders" Tid="38" Time="2017-01-20 20:59:29Z"> HTTP/1.1 401 Unauthorized Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate,NTLM X-Powered-By: ASP.NET Date: Fri, 20 Jan 2017 20:59:29 GMT Content-Length: 0
</Trace>
10: GetUnreadMail ee: Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The remote server returned an error: (401) Unauthorized. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request) --- End of inner exception stack trace --- at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request) at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request) at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute() at Microsoft.Exchange.WebServices.Data.ExchangeService.FindItems(FolderId parentFolderId, SearchFilter searchFilter, ViewBase view) at Microsoft.Exchange.WebServices.Data.ExchangeService.FindItems(WellKnownFolderName parentFolderName, SearchFilter searchFilter, ViewBase view) at QDoc.Helpers.ExchangeHelper.GetUnreadMail(ExchangeParam ExchangeQueryParam, MailItemList ExchangeResults, String myDomain) in c:\Inet\QDoc\QDoc\Helpers\ExchangeHelper.cs:line 186