This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error "The account does not have permission to impersonate the requested user"

Hi,

Iam using 8.13 Migration manager for Exchange to migrate from one forest to another forest, it worked very well with the 8.12 version.

I have upgraded to 8.13 version with the latest hotfix and suddenly it has started throwing impersonation errors specifically for any new mailbox sync.

Given impersonation permissions to the service account, removed all deny permissions for the database/mailbox, still it throws same kind of error.

Tried out in creating mailboxes in different databases, moved to different agents, still no luck.

Tested out the impersonation rights through EWS editor and no issues with that.

Below is the error what i have observed in the Mage agent.

2017-01-18 14:02:40.5076 Px1B58 Tx1F A7 C712 M11150 Trace SRC(Ews) Connect end 
2017-01-18 14:02:40.5076 Px1B58 Tx1F A7 C712 M11150 Trace TRG(Ews) StartSync end 
2017-01-18 14:02:40.5232 Px1B58 Tx1F A7 C712 M11150 Error Microsoft.Exchange.WebServices.Data.ServiceResponseException: The account does not have permission to impersonate the requested user.
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ProcessWebException(WebException webException)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
   at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
   at Microsoft.Exchange.WebServices.Data.ExchangeService.InternalBindToFolders(IEnumerable`1 folderIds, PropertySet propertySet, ServiceErrorHandling errorHandling)
   at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder(FolderId folderId, PropertySet propertySet)
   at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder[TFolder](FolderId folderId, PropertySet propertySet)
   at Quest.MigrationManager.Exchange.MigrationConnectors.Ews.ProductionExchangeService.FolderBind(WellKnownFolderName name, PropertySet propertySet)
   at Quest.MigrationManager.Exchange.MigrationConnectors.Ews.EwsSyncConnector.ConnectInternal()
   at Quest.MigrationManager.Exchange.MigrationConnectors.Ews.EwsSyncConnector.Connect()
   at Quest.MigrationManager.Exchange.MigrationConnectors.GenericSyncConnector.StartSync(SyncDirection syncType)
   at Quest.MigrationManager.Exchange.MigrationConnectors.GenericSyncConnector.ReSync(SyncDirection syncType)
   at Quest.MigrationManager.Exchange.Agent.Jobs.DisPlusO365JobBase.<>c__DisplayClass46_0.<DoSync>b__3()
   at Dell.MigrationManagerForExchange.General.DotNet.ResultHandler.Execute(Action act, Action onSuccess, Action`1 onFailure, Boolean bSuppressException)
   at Quest.MigrationManager.Exchange.Agent.Jobs.DisPlusO365JobBase.DoSync(IMailboxSyncConnectorInternal sourceConnector, IMailboxSyncConnectorInternal targetConnector, String mailboxLedn, IAgentProperties cfg)
   at Quest.MigrationManager.Exchange.Agent.Jobs.DisBaseJob.PerformSync()
   at Quest.MigrationManager.Exchange.Agent.Jobs.DisBaseJob.RunJob() 
2017-01-18 14:02:40.5232 Px1B58 Tx1F A7 C712 M11150 Trace Saving mailbox stage. Mailbox ID: 11150, collection ID: 712, new mailbox stage: Failed, expected mailbox stage: InProgress, from ThreadHelper:ThreadStart->ExecutionContext:Run->ExecutionContext:Run->ExecutionContext:RunInternal->ThreadHelper:ThreadStart_Context->QThreadManager:RunTask->QWorkTask:Run->DisBaseJob:RunJob->DisBaseJob:RunJobHandleException->StageToggle:set_MailboxStage->StageToggle:Save->SqlMailBoxStageStorage:Save

If anyone has faced similar issue then let me know the work around or a fix for that.

  • I suspect that the previous project didn't include the impersonation right? Anyhow, it is a requirement and details on how to set it are in the preperation documentation for 2013 and 2016 as source &/or target environments.
    documents.software.dell.com/.../granting-application-impersonation-role

    To grant the ApplicationImpersonation management role to the <User> (in our example, LA\JohnSmith), run the following cmdlet in Exchange Management Shell:

    New-ManagementRoleAssignment -Role ApplicationImpersonation -User LA\JohnSmith

    If you encounter issues setting this up, please feel free to let the support department know, and we'd be happy to assist.
    Luke
  • I have provided the impersonation permissions and i have verified through EWS editor to cross verify whether my account has permissions or not. But why it throws impersonation permissions even though it has permissions?
  • I know this thread is 2 months old, but I just experienced this issue and found a solution.
    What I needed to do was to add the account that was performing the task to the AD Object that it was attempting to perform work as.

    Add-ADPermission -Identity "<Display Name or other identifier of account to impersonate>" -User <User to gain permisisons to impersonate> -ExtendedRights ms-Exch-EPI-May-Impersonate

    eg: Add-ADPermission -Identity "John Smith" -User svc_account -ExtendedRights ms-Exch-EPI-May-Impersonate

    I hope this helps.

    Anthony.