There are spam submissions in the SESC spam submission folder. The spam submissions stay in the submission folder and are not processed by SESC. The SESC console does not increase the Failed counter. This counter is displayed at the top of the SESC console.
Conditions
[::]2012-07-09 07:21:43,583, [26], ERROR, Symantec.Submission.Exchange.Client.ExchangeItem, Microsoft.Exchange.WebServices.Data.ServiceResponseException: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
See the following article for details on the SESC debug logs: How to Obtain Debug logs for Symantec Email Submission Client (SESC).
Exchange 2007
1. Open the Exchange Management Shell.
2. Run the following Powershell command:
get-adpermission -id <casserver> | where {$_.ExtendedRights -like "ms-Exch-EPI-Impersonation" } | ft -autosize
where <casserver> is the name of the CAS server used by SESC. The following is an example where the CAS server is CAS01:
get-adpermission -id cas01 | where {$_.ExtendedRights -like "ms-Exch-EPI-Impersonation" } | ft -autosize
If the result output does not contain a "Deny" false rights then this condition is met. The following is an example where the SESC service account does not have permissions:
Identity User Deny Inherited Rights
-------- ---- ---- --------- ------
EXMB1 EXCHANGE2007\Domain Admins True True ms-Exch-EPI-Impersonation
EXMB1 EXCHANGE2007\Schema Admins True True ms-Exch-EPI-Impersonation
EXMB1 EXCHANGE2007\Enterprise Admins True True ms-Exch-EPI-Impersonation
EXMB1 EXCHANGE2007\Exchange Organization Administrators True True ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Domain Admins True True ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Schema Admins True True ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Enterprise Admins True True ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Exchange Organization Administrators True True ms-Exch-EPI-Impersonation
The following output shows when the SESC account has impersonation permission:
Identity User Deny Inherited Rights
-------- ---- ---- --------- ------
EXCHANGECAS EXCHANGE2007\administrator False False ms-Exch-EPI-Impersonation
EXCHANGECAS EXCHANGE2007\Domain Admins True True ms-Exch-EPI-Impersonation
EXCHANGECAS EXCHANGE2007\Schema Admins True True ms-Exch-EPI-Impersonation
EXCHANGECAS EXCHANGE2007\Enterprise Admins True True ms-Exch-EPI-Impersonation
EXCHANGECAS EXCHANGE2007\Exchange Organization Administrators True True ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\administrator False True ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Domain Admins True True ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Schema Admins True True ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Enterprise Admins True True ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Exchange Organization Administrators True True ms-Exch-EPI-Impersonation
The SESC service account needs Exchange impersonation permisssion to function.
Provide Exchange impersonation permission for the SESC service account. See the following article for details: About impersonation rights.