question

AlexFogerty-6370 avatar image
0 Votes"
AlexFogerty-6370 asked AlexFogerty-6370 commented

Exchange 2016 New ApplicationImpersonation Account Not Working After CU19

We are running Exchange 2016 on Server 2016. After we were informed by Microsoft that we needed to upgrade to CU19 we installed it on the same day.

Unfortunately it broke our ApplicationImpersonation account that was using the Administrator account. Specifically it has broken a program called Mailstore.

Mailstore Support said they were confident Microsoft would fix the issue in CU20 but this hasn't happened. We installed CU20 (15.1.2242.4) and rebooted the Exchange server and the problem still exists.

Mailstore Support said that a work-around would be to create a new ApplicationImpersonation as a lowly user, but I have created the account and assigned it the ApplicationImpersonation role, but Mailstore (the program) just says that the credentials were rejected by EWS:



An error has occurred.

Authentication failed (EWS). Check user name and password. If the password is correct, try specifying your UPN Logon (e.g. user@domain.com) or DOMAIN\username in the user name field.



I have tried different username formats but all are rejected.

Interestingly Vipre Email Security seems to be working fine, but it was set up with ApplicationImpersonation as a lowly user from Day 1.

Has anyone else seen this? Am I barking up the wrong tree? Any ideas how to get ApplicationImpersonation to work?

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexFogerty-6370 avatar image
0 Votes"
AlexFogerty-6370 answered

[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2016>Get-ManagementRoleAssignment -Role ApplicationImpersonation| fl Name, User, CustomRecipientWriteScope


Name : ApplicationImpersonation-Hygiene Management
User : DOMAIN/Microsoft Exchange Security Groups/Hygiene Management
CustomRecipientWriteScope :

Name : ApplicationImpersonation-Organization Management-Delegating
User : DOMAIN/Microsoft Exchange Security Groups/Organization Management
CustomRecipientWriteScope :

Name : VIPRE Email Security
User : DOMAIN/Users/Vipre
CustomRecipientWriteScope :

Name : MailStore Impersonation
User : DOMAIN/Users/Mailstore
CustomRecipientWriteScope :







[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2016>Get-ManagementRoleAssignment -I
dentity "MailStore Impersonation" | fl

RunspaceId : b9f05ce8-6484-4f96-9825-128b81492fd9
DataObject : MailStore Impersonation
User : DOMAIN/Users/Mailstore
AssignmentMethod : Direct
Identity : MailStore Impersonation
EffectiveUserName : Mailstore
AssignmentChain :
RoleAssigneeType : User
RoleAssignee : DOMAIN/Users/Mailstore
Role : ApplicationImpersonation
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope :
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : None
RecipientWriteScope : Organization
ConfigWriteScope : None
Enabled : True
RoleAssigneeName : Mailstore
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : MailStore Impersonation
DistinguishedName : CN=MailStore Impersonation,CN=Role Assignments,CN=RBAC,CN=First
Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=local
Guid : 59255a4b-6592-4385-baec-47b3820b0de3
ObjectCategory : DOMAIN/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 19/03/2021 1:34:17 PM
WhenCreated : 19/03/2021 1:34:17 PM
WhenChangedUTC : 19/03/2021 12:34:17 AM
WhenCreatedUTC : 19/03/2021 12:34:17 AM
OrganizationId :
Id : MailStore Impersonation
OriginatingServer : SERVER.DOMAIN
ObjectState : Unchanged

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AlexFogerty-6370 commented

I would open a ticket with Microsoft Support and report this

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Andy,

After many hours we were able to solve the issue. It seems that our ApplicationImpersonation account needed an email mailbox assigned to it, and that it also needs the exact server name with FQDN, not the DNS alias. Perhaps CU19 has changed the 'rules' around this? We will try to get it to work without the mailbox, as in theory it shouldn't need it for ApplicationImpersonation. I suspect it might also be a Mailstore issue with Exchange 2016 CU19/CU20.

0 Votes 0 ·

Hi Alex,

Maybe the credential is used by Mailstore? Just a thinking about this thread.

0 Votes 0 ·

The credentials are correct.

0 Votes 0 ·