Configuring the impersonation for connector SE on Exchange Server 2010 and 2013

Learn to create and configure impersonating account on exchange servers 2010 and 2013.

Connector SE uses a technical account to impersonate the users, whose mailboxes are supposed to be synchronized (see topic connector SE – some technical details for further explanation).

Note:
  • In Exchange 2010 the e-mail address for a user is generated by an E-Mail Address Policy
  • Ensure that the account used for impersonation has a mailbox assigned to it on the Exchange Server.

After you have created the impersonating account (in the examples below we use Exlab01\ExConn01 with e-mail address exconn01@exlab01.local) you can use the Exchange Management Shell to configure the impersonation for this account.

New-ManagementRoleAssignment -Name "CRM.connector"
-Role:ApplicationImpersonation -User "Exlab01\ExConn01"

In the example above, the role CRM.connector is created and assigned to a service account Exlab01\ExConn01 on Exchange Organization level.

In order to restrict the scope of the impersonation user to a group of users, you can create a scope to which the impersonation role can be assigned and define the members of the scope. The sample below illustrates limiting the scope to"Aurea CRM users", where "Aurea CRM users" is an Active Directory group.

New-ManagementScope –Name "Aurea CRM users"
–RecipientRestrictionFilter {MemberofGroup -eq "CN=Aurea CRM Users,
CN=Users, DC=exlab01, DC=local"}

New-ManagementRoleAssignment -Name "Aurea CRM connector"
-Role:ApplicationImpersonation -User "Exlab01\ExConn01"
CustomRecipientWriteScope "Aurea CRM users"

For an example of how to create such a group and determine the distinguished name of the group, see topic How to create an AD group and limit the scope of the impersonation user below.

For further details on configuring impersonation and how to define the scope of the users that can be impersonated, see MSDN. E.g. the MSDN article "Configuring Exchange Impersonation" at http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx or a step-by-step description in http://msdn.microsoft.com/en-us/library/exchange/bb204095(v=exchg.140).aspx.

Connector SE supports "basic" and "NTLM" authentication – so you have to configure your EWS endpoint accordingly. This "external" URL has to be accessible for connector SE. You can use the Get-WebServicesVirtualDirectory and Set-WebServicesVirtualDirectory Command lets to retrieve and set information for the virtual directory EWS. For further details, see the Microsoft TechNet Article Set-WebServicesVirtualDirectory for further details.