A username and password have been entered into the service settings in the SESC console. After the Apply button is pressed a dialog box appears that contains the following error message:
The following validation error were found:
Configuration
<accountName> does not have impersonation permissions
For example:
The following validation error were found:
Configuration
2k8domain\administrator does not have impersonation permissions
Use the following steps to set the service account information in the SESC console:
1. Click on the Configuration pane.
2. Enter the service account name in the User name textbox.
3. Enter the service account password in the Password textbox.
Conditions
1. Open Exchange Management Shell.
2. Run the following powershell command:
Get-ManagementRoleAssignment -role applicationimpersonation -roleassignee <serviceAccountName> -assignmentmethod direct
NOTE: Replace <serviceAccountName> with the name of the service account. The following is an example for the account sesc01:
Get-ManagementRoleAssignment -role applicationimpersonation -roleassignee 2k8domain\sesc01 -assignmentmethod direct
3. If the command returns no results then this condition is met.
If the command returns something like this then this condition is not met:
RunspaceId : df38d01a-4aac-40bc-8375-ec3714261b85
User : 2k8domain.test/Users/Administrator
AssignmentMethod : Direct
Identity : SESCAppImpersonation_administrator
EffectiveUserName : Administrator
AssignmentChain :
RoleAssigneeType : User
RoleAssignee : 2k8domain.test/Users/Administrator
Role : ApplicationImpersonation
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope :
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : None
RecipientWriteScope : Organization
ConfigWriteScope : None
Enabled : True
RoleAssigneeName : Administrator
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : SESCAppImpersonation_administrator
DistinguishedName : CN=SESCAppImpersonation_administrator,CN=Role Assignments,CN=RBAC,CN=First Organization, CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=2k8domain,DC=test
Guid : fd6c0124-bbcf-4d5f-b1cf-3ac687e119dc
ObjectCategory : 2k8domain.test/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 2/14/2012 10:04:22 AM
WhenCreated : 2/14/2012 10:04:22 AM
WhenChangedUTC : 2/14/2012 3:04:22 PM
WhenCreatedUTC : 2/14/2012 3:04:22 PM
OrganizationId :
OriginatingServer : Ex2010DC.2k8domain.test
The SESC console checks to ensure that the service account has Exchange impersonation permissions. With Exchange 2010 it is required that the permission is a direct assignment.
Assign application impersonation permission to the SESC service account.
Exchange 2010
1. Open Exchange Management Shell.
2. Run the following command:
New-ManagementRoleAssignment -name SESCAppImpersonation -role ApplicationImpersonation -user <serviceAccountName>
NOTE: Replace <serviceAccountName> with the name of the service account. The following is an example for the account sesc01:
New-ManagementRoleAssignment -name SESCAppImpersonation -role ApplicationImpersonation -user 2k8domain\sesc01
Exchange 2007
1. Open Exchange Management Shell.
2. Run the following commands:
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity <serviceAccountName> | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <serviceAccountName> -ExtendedRights ms-Exch-EPI-May-Impersonate}
NOTE: Replace <serviceAccountName> with the name of the SESC service account. The following example removes impersonation for the account 2k8domain\administrator:
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity 2k8domain\administrator | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User 2k8domain\administrator -ExtendedRights ms-Exch-EPI-May-Impersonate}
Technical Information
For Exchange 2010, application impersonation permission may be assigned to an account through delegation, a security group, directly and other ways. See the following Microsoft article for more information: Get-ManagementRoleAssignment. The SESC console requires that the account have the permissions through direct impersonation.
Applies To