Today I was working on an Exchange Web Services project that I have been working on for some time. During the development of this project I had been testing code against a virtualized Windows Server 08 R2 and Exchange Server 2007 SP1. The project uses impersonation to manipulate items in user mailboxes and had worked fine up until this point, but had trouble making a connection suddenly today.
At first I thought it was a problem with the virtualized server and I rebooted it to see if the service would become accessible and it did not. I tried switching from autodiscover for the EWS endpoint to specifying the URI and it made no difference.
Error: Using autodiscover
The autodiscover service couldn't be located.
Error: Using a URI
Request failed. The remote server returned an error: (401) Unauthorized.
Problem properties
These errors prevented me from using EWS in the project that had been working fine. Nothing significant had changed in the project and backups that worked prior did not work anymore. The impersonation account was still valid in active directory and using the Test-ExchangeWebServices cmdlet the Exchange Management Console confirmed an accessible and functioning autodiscovery service and endpoints for the target email address. Changing authentication settings (Anonymous Authentication) in IIS resulted in the URI error for EWS becoming
Request failed. The remote server returned an error: (403) Forbidden.
It was clear it was a security issue with the impersonation account. At first glance the impersonation account properties were fine and (still) correctly setup, so what was the problem?
The Solution
The problem was that the account had been set to have its password expire. The password had expired for the impersonation account and this was pretty much invisible to me as it was not shown anywhere in the active directory administrative user property panes. So I reset the password to what it was and set it not to expire. That fixed the problem.
Further comments
I had thought that the problem could have been related to how I’ve been authenticating. Up until now I’ve been using the an authentication object like the following:
ExchangeService.Url = new NetworkCredential(ImpersonationUsername,ImpersonationPassword)
Online there is a lot of comments about including a domain as the third parameter and I had considered this as being the problem, but it was not. My project has been functioning fine without specifying a domain parameter. In addition this is using a NetworkCredential object as opposed to a WebCredential object which is also suggested in some places. It is worth considering if the above solution doesn’t fix your issue. You can also try making sure the authentication settings are correct in your IIS (where the EWS API is hosted) however be careful if you do that. This problem normally suggests there is an authentication problem somewhere.