The Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests in Exchange Server 2007 Service Pack 1

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
In an Exchange Server 2007 Service Pack 1 (SP1) environment, the Exchange Impersonation feature enables one service account to make Web service calls on behalf of another Act-As account. With this feature, the call is actually made by using the rights of the Act-As account instead of the rights of the service account. However, the Exchange Impersonation feature does not work if a cross-forest topology has only a one-way trust relationship between forests.
CAUSE
Kerberos Service for User to Self (S4U2Self) requires a two-way trust relationship between forests in order to generate an identity token. Exchange Impersonation relies on S4U2Self for making the Web service calls.

Note S4U2Self is an extension that lets a service obtain a Kerberos service ticket for itself. The service ticket contains the user's groups and can therefore be used in authorization decisions.
RESOLUTION
To resolve this problem, install Update Rollup 9 for Exchange 2007 Service Pack 1. For more information about Update Rollup 9 for Exchange Server 2007 Service Pack 1, see the following Exchange Help topic: For more information about how to obtain the latest Exchange service pack or update rollup, see the following Exchange Help topic:
MORE INFORMATION
For more information about how to configure Exchange Impersonation, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb204095.aspx
For more information about how to use Exchange Impersonation, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb204088.aspx
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Properties

Article ID: 954739 - Last Review: 01/15/2015 17:58:20 - Revision: 1.1

  • Microsoft Exchange Server 2007 Service Pack 1
  • kbnosurvey kbarchive kbsurveynew kbqfe kbfix kbexpertiseinter KB954739
Feedback