Article ID: 954739 - View products that this article applies to.
In an Exchange Server 2007 Service Pack 1 (SP1) environment, the Exchange Impersonation feature enables one service account to make Web service calls on behalf of another Act-As account. With this feature, the call is actually made by using the rights of the Act-As account instead of the rights of the service account. However, the Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests.
Kerberos Service for User to Self (S4U2Self) requires a two-way trust relationship between forests in order to generate an identity token. Exchange Impersonation relies on S4U2Self for making the Web service calls.
Note S4U2Self is an extension that lets a service obtain a Kerberos service ticket for itself. The service ticket contains the user's groups and can therefore be used in authorization decisions.
To resolve this problem, install Update Rollup 9 for Exchange 2007 Service Pack 1. For more information about Update Rollup 9 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 9 for Exchange Server 2007 Service Pack 1For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007
For more information about how to configure Exchange Impersonation, visit the following Microsoft Web site:
For more information about how to use Exchange Impersonation, visit the following Microsoft Web site:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 954739 - Last Review: July 17, 2009 - Revision: 1.1