Symantec Email Submission Client (SESC) console shows error message "...does not have impersonation permission." when setting the Service Settings


Article ID: 155915


Updated On:


Mail Security for Microsoft Exchange Messaging Gateway


A username and password have been entered into the service settings in the SESC console.  After the Apply button is pressed a dialog box appears that contains the following error message:

The following validation error were found:
<accountName> does not have impersonation permissions

For example:

The following validation error were found:
2k8domain\administrator does not have impersonation permissions

Use the following steps to set the service account information in the SESC console:

1. Click on the Configuration pane.
2. Enter the service account name in the User name textbox.
3. Enter the service account password in the Password textbox.


  • For exchange 2010 there are no direct role assignments for the service account for Account Impersonation permission in Exchange.

1. Open Exchange Management Shell.
2. Run the following powershell command:

Get-ManagementRoleAssignment -role applicationimpersonation -roleassignee <serviceAccountName> -assignmentmethod direct

NOTE:  Replace <serviceAccountName> with the name of the service account.  The following is an example for the account sesc01:

Get-ManagementRoleAssignment -role applicationimpersonation -roleassignee 2k8domain\sesc01 -assignmentmethod direct

3. If the command returns no results then this condition is met.

If the command returns something like this then this condition is not met:

RunspaceId                   : df38d01a-4aac-40bc-8375-ec3714261b85
User                         : 2k8domain.test/Users/Administrator
AssignmentMethod             : Direct
Identity                     : SESCAppImpersonation_administrator
EffectiveUserName            : Administrator
AssignmentChain              :
RoleAssigneeType             : User
RoleAssignee                 : 2k8domain.test/Users/Administrator
Role                         : ApplicationImpersonation
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope    :
CustomConfigWriteScope       :
RecipientReadScope           : Organization
ConfigReadScope              : None
RecipientWriteScope          : Organization
ConfigWriteScope             : None
Enabled                      : True
RoleAssigneeName             : Administrator
IsValid                      : True
ExchangeVersion              : 0.11 (14.0.550.0)
Name                         : SESCAppImpersonation_administrator
DistinguishedName            : CN=SESCAppImpersonation_administrator,CN=Role Assignments,CN=RBAC,CN=First Organization, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=2k8domain,DC=test
Guid                         : fd6c0124-bbcf-4d5f-b1cf-3ac687e119dc
ObjectCategory               : 2k8domain.test/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass                  : {top, msExchRoleAssignment}
WhenChanged                  : 2/14/2012 10:04:22 AM
WhenCreated                  : 2/14/2012 10:04:22 AM
WhenChangedUTC               : 2/14/2012 3:04:22 PM
WhenCreatedUTC               : 2/14/2012 3:04:22 PM
OrganizationId               :
OriginatingServer            : Ex2010DC.2k8domain.test




The SESC console checks to ensure that the service account has Exchange impersonation permissions.  With Exchange 2010 it is required that the permission is a direct assignment.


Assign application impersonation permission to the SESC service account.

Exchange 2010

1. Open Exchange Management Shell.
2. Run the following command:

New-ManagementRoleAssignment -name SESCAppImpersonation -role ApplicationImpersonation -user <serviceAccountName>

NOTE:  Replace <serviceAccountName> with the name of the service account.  The following is an example for the account sesc01:

New-ManagementRoleAssignment -name SESCAppImpersonation -role ApplicationImpersonation -user 2k8domain\sesc01

Exchange 2007

1. Open Exchange Management Shell.
2. Run the following commands:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity <serviceAccountName> | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <serviceAccountName> -ExtendedRights ms-Exch-EPI-May-Impersonate}

NOTE:  Replace <serviceAccountName> with the name of the SESC service account.  The following example removes impersonation for the account 2k8domain\administrator:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity 2k8domain\administrator | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User 2k8domain\administrator -ExtendedRights ms-Exch-EPI-May-Impersonate}

Technical Information

For Exchange 2010, application impersonation permission may be assigned to an account through delegation, a security group, directly and other ways.  See the following Microsoft article for more information: Get-ManagementRoleAssignment. The SESC console requires that the account have the permissions through direct impersonation.

Applies To

  • SESC 1.X