Hi,
I know there are other questions about ErrorAccessDenied but they are not exactly describing my situation and all are pretty much old and mostly not answered so forgive me for creating my own.
Also, wall of text coming so please bear with me.
We have an application that synchronizes Exchange items into our internal systems. Items created on Exchange are stored in that system and vice versa of course with a lot of business logic and rules, etc. Application uses EWS Managed API and impersonation to access users mailboxes. Everything works fine but now we have this one customer that has a lot of strange things going on with main 2 problems mentioned in subject.
1. To ensure both sides (Exchange and our system) are in sync we have a functionality that allows users to decide that items no longer existing on Exchange should be removed also from system database. Since in our record we store id of original Exchange item internal system simply sends us list of those ids to confirm items still exist. What application does is a BindToItems method call with BasePropertySet.IdOnly as requested property and depending on server response we notify internal system about state of items. There is some semi complex logic behind what exactly is done on system side but in general NoError and item returned means item exists, ErrorItemNotFound means item doesn't exist.
For this one customer suddenly we started to receive ErrorAccessDenied and ErrorBatchProcessingStopped error codes which is very strange because seconds earlier there were events read from PullSubscribtion, items read from server, items created on server and bunch of other stuff going on which basically makes me sure that impersonation is working. For some reason during execution of this particular code ErrorAccesDenied is returned and it messes up whole BindToItems call.
But what is really strange is that for first id in list of ids we get NoError and correct item returned, for second id we get ErrorAccessDenied, and rest of responses is ErrorBatchProcessingStopped. So is it really about credentials or there is some completely different reason AccessDenied is retuned? According to customer those items exist in user mailbox for whom those errors are showing up. It doesn't happen for all users, only for some - who have exactly the same configuration of mailboxes as rest (according to customer).
2. For same customer another problem started to occur since 1st of January, at least that is a date when they noticed it for the first time. Again, it happens for some users and there is no scenario that would guarantee to reproduce it.
When new record is created in our system or its data change it has to be created/updated on Exchange. With same impersonation as for problem described above I simply create new item or find existing item using id provided by our system, set item properties according to whatever was sent and save/update item on Exchange. Simple and it works in multiple installations without problems.
But this customer reports that appointments created for one user show up in other users mailboxes which I find really strange because as far as I know when I impersonate userA@server.com everything I do is executed in context of this one user only. So if I create appointment in his calendar I cannot create same appointment in userB's calendar without explicitly switching impersonation to userB. What is worth mentioning during our sync process we store on Exchange items bunch of custom properties that help us verify whole process and do various filters, etc. All of those custom properties are visible in outlook in that design form view or whatever it is called. And I have screenshot from user that claims to have one of those "not his" appointments and basically half of our properties is not there and some have no values while they definitely should have otherwise whole sync would fail and everything is logged as successful.
Sorry for this wall of text but I really have no idea what can causing those strange problems so I tried to describe as much as possible without breaching NDA and such stuff. We added a lot of logging around areas where impersonation is changed, Exchange items are created/updated, etc. Logs show nothing, of course.
So, for first issue: is it possible that items were moved on Exchange in such way that user still can see them but for EWS API call we get ErrorAccessDenied? I'm not sure where exactly could be such location because if id of an item would change we should rather get ErrorItemNotFound or even something about id being not properly formatted, right?
For second issue: is it possible that there is something running on Exchange server and does some kind of simplistic mirroring of items between mailboxes? Customer claims there are no such things on server nor user side but can it be something that non-IT people wouldn't know? Like some kind of script that admins like to run to keep server healthy or something innocent but lethal for our scenarios? Anybody has any hints what we should even ask customer about to get closer to solution of those mysterious problems?