The Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests in Exchange Server 2007 Service Pack 1

Article translations Article translations
Article ID: 954739 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In an Exchange Server 2007 Service Pack 1 (SP1) environment, the Exchange Impersonation feature enables one service account to make Web service calls on behalf of another Act-As account. With this feature, the call is actually made by using the rights of the Act-As account instead of the rights of the service account. However, the Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests.

CAUSE

Kerberos Service for User to Self (S4U2Self) requires a two-way trust relationship between forests in order to generate an identity token. Exchange Impersonation relies on S4U2Self for making the Web service calls.

Note S4U2Self is an extension that lets a service obtain a Kerberos service ticket for itself. The service ticket contains the user's groups and can therefore be used in authorization decisions.

RESOLUTION

To resolve this problem, install Update Rollup 9 for Exchange 2007 Service Pack 1. For more information about Update Rollup 9 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic:
Description of Update Rollup 9 for Exchange Server 2007 Service Pack 1
For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
How to Obtain the Latest Service Pack or Update Rollup for Exchange 2007

MORE INFORMATION

For more information about how to configure Exchange Impersonation, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb204095.aspx
For more information about how to use Exchange Impersonation, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb204088.aspx

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 954739 - Last Review: July 17, 2009 - Revision: 1.1
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1, when used with:
    • Microsoft Exchange Server 2007 Enterprise Edition
    • Microsoft Exchange Server 2007 Standard Edition
Keywords: 
kbsurveynew kbqfe kbfix kbexpertiseinter KB954739

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com