The Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests in Exchange Server 2007 Service Pack 1

In an Exchange Server 2007 Service Pack 1 (SP1) environment, the Exchange Impersonation feature enables one service account to make Web service calls on behalf of another Act-As account. With this feature, the call is actually made by using the rights of the Act-As account instead of the rights of the service account. However, the Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests.

Kerberos Service for User to Self (S4U2Self) requires a two-way trust relationship between forests in order to generate an identity token. Exchange Impersonation relies on S4U2Self for making the Web service calls.

Note S4U2Self is an extension that lets a service obtain a Kerberos service ticket for itself. The service ticket contains the user's groups and can therefore be used in authorization decisions.

To resolve this problem, install Update Rollup 9 for Exchange 2007 Service Pack 1. For more information about Update Rollup 9 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic: For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:

For more information about how to configure Exchange Impersonation, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb204095.aspx (http://msdn.microsoft.com/en-us/library/bb204095.aspx)
For more information about how to use Exchange Impersonation, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb204088.aspx (http://msdn.microsoft.com/en-us/library/bb204088.aspx)

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.