Quantcast
Channel: Exchange Server Development forum
Viewing all articles
Browse latest Browse all 7132

401.2 Unauthorized when accessing Exchange through IIS

$
0
0

I am working on an ASP.NET MVC site that accesses our local Exchange 2013 server. Everything works fine on my development machine with VS 2013 + IIS Express and the db on SQL Express (on another machine).

The deployed application however throws 401.2 when accessing Exchange with the current user (SQL Server is running on the same server). This should be a problem with Kerberos delegation. Unfortunately I did not get it to work after hours of searching and configuring. So here's what I have:

  • EWS Managed API V2.2
  • Windows Authentication enabled in web.config and on IIS
  • I use the same domain user when testing on my local machine and the webserver

IIS Configuration:

  • Windows Authentication Providers: Negotiate, NTLM
  • Windows Authentication Advanced Settings: Extended Protection Off, Kernel-Mode Auth DISABLED
  • ASP.Net Impersonation activated on the productive webserver
  • Application Pool runs as a domain user ("Contoso\roomplanner")
  • "useAppPoolCredentials" in ApplicationHost.config for site = TRUE

AD configuration:

  • AppPool user trusted for delegation, webserver trusted for delegation
  • Added SPNs for Contoso\roomplanner: http/webserverNETBIOS; http/webserverFQDN

I followed this tutorial for Kerberos Delegation:http://blogs.msdn.com/b/chiranth/archive/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis.aspx

Code I use to connect to Exchange:

publicvoidAuth(WebCredentials creds, bool useAutodiscover,string EWSURL =null){if(useAutodiscover){// not of interest, because I always use the EWSURL in this scenario}else{if(!String.IsNullOrEmpty(EWSURL)){
            service =newExchangeService(ExchangeVersion.Exchange2013_SP1);

            service.CookieContainer=newCookieContainer();

            service.TraceEnabled=true;

            service.Credentials= creds;// CURRENT USER in this case

            service.Url=newUri(EWSURL);}else{// ERROR}}}

Here is a sample of a following operation on the Exchange:

publicList<EmailAddress>GetAllRoomAddresses(){var roomlists = service.GetRoomLists();List<EmailAddress> roomAddresses =newList<EmailAddress>();foreach(var item in roomlists){
        roomAddresses.AddRange(service.GetRooms(newEmailAddress(item.Address)));}return roomAddresses;}

TL;DR: Everything works fine on my development machine. The Exchange Server however denies access, when accessing the site through a regular IIS (Double hop scenario).

Can somebody tell me how I get this to work?

Regards


chn


Viewing all articles
Browse latest Browse all 7132

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>