This article has been archived. It is offered "as is" and will no longer be updated.
In an Exchange Server 2007 Service Pack 1 (SP1) environment, the Exchange Impersonation feature enables one service account to make Web service calls on behalf of another Act-As account. With this feature, the call is actually made by using the rights of the Act-As account instead of the rights of the service account. However, the Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests.
Kerberos Service for User to Self (S4U2Self) requires a two-way trust relationship between forests in order to generate an identity token. Exchange Impersonation relies on S4U2Self for making the Web service calls.
Note S4U2Self is an extension that lets a service obtain a Kerberos service ticket for itself. The service ticket contains the user's groups and can therefore be used in authorization decisions.
To resolve this problem, install Update Rollup 9 for Exchange 2007 Service Pack 1. For more information about Update Rollup 9 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic: