Page tree
Skip to end of metadata
Go to start of metadata

Exchange ESA Impersonation

Microsoft Exchange Impersonation configuration greatly depends on how your Exchange server is set up. The steps below will enable you to create the most basic impersonation setup. If you require a more customized configuration, please consult your Exchange administrator.  

General Principles

Parameters

The following six parameters are required when using the Exchange ESA:

Parameters

  • Microsoft Active Directory host – the host server where Exchange is located; it should also contain AD (Active Directory).
  • Microsoft Active Directory port – a port to access AD. For example, you can use port 389 (no-ssl) or 636 (ssl), or any re-mapped ports.
  • MASD user to perform CRUD actions on contacts – a user name without domain or Domain Name (DN), since all these formats will be used to connect attempts between the provided domain and the base DN.
  • MASD domain – a domain which the user belongs to.
  • Base DN - A base DN for the AD. To define a base DN...
    • In the Ldp tool, connect to the host
    • Check the tree and find the proposed base DNs.
  • Organizational Unit - a structure which contains the People or Contacts. In order to distinguish the synchronized users, it is useful to place them in an Organizational Unit; create one if needed.  


How to Check Connection to LDAP

Use ldapsearch from the OpenLDAP project to check the connection from  Agiloft to LDAP. The example below shows a connection to LDAP with different ports and user formats.  Agiloft can use all of these formats. 

 LDAP Connection
user@userhome ~ $ 
LDAPTLS_REQCERT=allow ldapsearch -H "ldap://xwin.home.local:389" -D 
"Administrator" -w xxx -b "dc=home,dc=local" -s sub 
"(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldap://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldap://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldap://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
user@userhome
 ~ $ LDAPTLS_REQCERT=allow ldapsearch -H "ldaps://xwin.home.local:636"
 -D "Administrator" -w xxx -b "dc=home,dc=local" -s sub 
"(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldaps://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldaps://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldaps://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
user@userhome
 ~ $ LDAPTLS_REQCERT=allow ldapsearch -H "ldaps://xwin.home.local:636"
 -D "Administrator@home.local" -w xxx -b "dc=home,dc=local" -s sub 
"(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldaps://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldaps://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldaps://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
user@userhome
 ~ $ LDAPTLS_REQCERT=allow ldapsearch -H "ldap://xwin.home.local:389" 
-D "CN=Administrator,CN=Users,DC=home,DC=local" -w xxx -b 
"dc=home,dc=local" -s sub "(mail=Administrator@home.local)" mail
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=local> with scope subtree
# filter: (mail=Administrator@home.local)
# requesting: mail
#

# Administrator, Users, home.local
dn: CN=Administrator,CN=Users,DC=home,DC=local
mail: Administrator@home.local

# search reference
ref: ldap://ForestDnsZones.home.local/DC=ForestDnsZones,DC=home,DC=local

# search reference
ref: ldap://DomainDnsZones.home.local/DC=DomainDnsZones,DC=home,DC=local

# search reference
ref: ldap://home.local/CN=Configuration,DC=home,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Scripts

Run the following scripts in PowerShell:

ms-Exch-EPI-Impersonation - Granting Impersonation Rights to the Administrator

The ms-Exch-EPI-Impersonation permission gives the administrator the ability to submit an impersonation call. 

C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile
"C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command
"Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} |
ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User
(Get-User -Identity Administrator | select-object).identity
-extendedRight ms-Exch-EPI-Impersonation}" 
Identity  User               Deny  Inherited Rights
--------  ----               ----  --------- ------
MYADM     HOME\Administrator False False     ms-Exch-EPI-Impersonation

ms-Exch-EPI-May-Impersonate - Granting Permission to Impersonate a Specific User or Account

After impersonation permissions are established on a server, the administrator can be granted permission to impersonate a specific account or any account in a mailbox database.

The ms-Exch-EPI-May-Impersonate permission is used to grant the caller access to specific accounts.

The following script allows the administrator to impersonate any account found in the mailbox database at the time of the script run: 

C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile
"C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command
"Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity
$_.DistinguishedName -User Administrator -ExtendedRights
ms-Exch-EPI-May-Impersonate}" 
Identity        User               Deny  Inherited Rights
--------        ----               ----  --------- ------
MYADM\First ... HOME\Administrator False False     ms-Exch-EPI-May-Impersonate 

This script grants the same permission for a specific user: 

 C:\>C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe -PSConsoleFile
"C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command
"Add-ADPermission -Identity 'John Doe' -User Administrator
-extendedRight ms-Exch-EPI-May-Impersonate" 
Identity      User               Deny  Inherited Rights
--------      ----               ----  --------- ------
foe.local/... HOME\Administrator False False     ms-Exch-EPI-May-Impersonate 

You need to run these or similar scripts for new accounts when they are created with the need to be synchronized. It is possible to add this script to the scheduler to run periodically; for example as often as  Agiloft synchronization is run.

Define and Restrict Impersonation Users in the Organization

Your company may not wish to sync all users of the organization to the impersonation user - in these cases, the user must not have the ManagementRoleAssignment without any filter. 

  1. To prevent this, use the Get-ManagementRoleAssignment and Remove-ManagementRoleAssigned commands if necessary to restrict the role assignment of the user with impersonation. 
  2. Next, create a custom filter for selected users. See here for more information about the syntax. 
    1. For example, to create a custom filter for all users apart from "QQQ", use New-ManagementScope –Name:allExceptQQQ –RecipientRestrictionFilter:recipientFilter {Name -ne "QQQ"}.
  3. Introduce the ManagementRoleAssignment, using a defined custom restriction.
    1. Using the example above, this could be New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:allExceptQQQ.

At this point, the  Agiloft Exchange ESA will be configured to impersonate all users in the organization apart from the user with name QQQ. Depending on the SKIP_NON_IMPERSONIZED_USERS configuration variable, the user "QQQ" will either be retrieved - without contacts and events - or just skipped at sync time. 

The license could not be verified: License Certificate has expired!