EWS - 使用服务帐户进行模拟
在我们的组织中,我们尝试使用 EWS 托管 API 从 Exchange 2010 上的自定义 UI 客户端访问邮箱。我们有一个在 IIS 7.5 上运行的 .NET 4.0 WCF 服务,代表 UI 客户端调用 EWS 方法。客户端和 WCF 服务通过 https 进行通信,WCF 服务和 EWS 也是如此。我们现在想要创建服务帐户(基本上是对某些电子邮件收件箱具有模拟权限的 AD 帐户)并在这些服务帐户下运行 WCF 服务。但是,当我在 IIS 中的特定 AD 用户下运行 WCF 服务时(使用设置为特定 AD 用户的匿名用户身份启用匿名身份验证),EWS 会引发 401 未经授权的异常。检查 ExchangeService 对象后,Credentials 对象为 null。如果我对凭据进行硬编码,该服务就可以访问 EWS。下面是我用来创建 ExchangeService 对象的代码。
var service = new ExchangeService(ExchangeVersion.Exchange2010)
{
Url = new Uri(ConfigurationManager.AppSettings["EWSUrl"]),
// If I uncomment the below line, the service can access EWS. However, I want the user under which the service is running to access EWS.
//Credentials = new NetworkCredential("ImpersonatingUser", "secretPwd", "TESTDOMAIN"),
ImpersonatedUserId = new ImpersonatedUserId { Id = emailAddress, IdType = ConnectingIdType.SmtpAddress },
};
我在某处读到 System.ServiceModel.ServiceSecurityContext.Current.WindowsIdentity 对象将拥有运行服务的当前用户。但是,在我的例子中,System.ServiceModel.ServiceSecurityContext.Current 上下文为空。
如何获取服务帐户的凭据(无需在代码中对其进行硬编码)并将其传递给 EWS?如果您需要更多详细信息,请告诉我。
编辑:在 IIS 7.5 中,我创建了一个在模拟 AD 用户身份下运行的单独应用程序池,并将我的 WCF 服务配置为在此应用程序池中运行。仍然无法获取服务凭证。
提前致谢。
In our organization we are trying to use EWS Managed API to access mailboxes from a custom UI client on Exchange 2010. We have a .NET 4.0 WCF service running on IIS 7.5 calling the EWS methods on behalf of the UI client. Client and WCF service communicate over https, so does the WCF service and EWS. We now want to create service accounts (basically AD accounts with impersonation rights on certain email inboxes) and run the WCF service under these service accounts. However, when I run the WCF service under a particular AD user in IIS (Anonymous authentication enabled with Anonymous user identity set to the specific AD user), EWS throws a 401 Unauthorized exception. Upon examining the ExchangeService object, the Credentials object is null. If I hardcode the credentials, the service can access EWS. Below is the code that I am using to create the ExchangeService object.
var service = new ExchangeService(ExchangeVersion.Exchange2010)
{
Url = new Uri(ConfigurationManager.AppSettings["EWSUrl"]),
// If I uncomment the below line, the service can access EWS. However, I want the user under which the service is running to access EWS.
//Credentials = new NetworkCredential("ImpersonatingUser", "secretPwd", "TESTDOMAIN"),
ImpersonatedUserId = new ImpersonatedUserId { Id = emailAddress, IdType = ConnectingIdType.SmtpAddress },
};
I read somewhere that the System.ServiceModel.ServiceSecurityContext.Current.WindowsIdentity object will have the current user under which the service is running. However, the System.ServiceModel.ServiceSecurityContext.Current context is null in my case.
How do I get the service account's credentials (without hardcoding it in the code) and pass it to EWS? Please let me know if you need more details.
Edit: In IIS 7.5, I have created a separate app pool running under the impersonating AD user's identity, and configured my WCF service to run in this app pool. Still can't get the service credentials.
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
除非您的 WebService 在 Exchange 机器上运行,否则您需要配置 Kerberos。 NTLM 不允许凭据委派。
另一种选择是切换到使用 SSL 保护的基本身份验证。但这意味着在客户端应用程序中失去单点登录。
Unless your WebService runs on the Exchange box, you'll need to configure Kerberos. NTLM does not allow credential delegation.
Another option is to switch to Basic authentication secured with SSL. But this means to loose single sign on in your client application.