Hello!
Our customer wants to have a functionality that requires accessing Exchange (namely meetings calendar) from SharePoint to perform some actions. Since they're using claims authentication in SP (it's not an option to turn it off) my understanding is that Kerberos delegation should be set up correctly in the domain and in order to authenticate in Exchange Web-services I need to use Claims to Windows token service to pass the user's credentials.
I'm currently experimenting with the code and domain settings in my dev environment but can't get it all to work. So far I have done the following:
- Set up Exchange 2010 (basic installation, all components on one VM) and created SPNs (a computer account since Exchange Web-serviceces run under Local System):
HTTP/exch - DOMAIN\exch$
HTTP/exch.domain.local - DOMAIN\exch$ - Verified that Kerberos is working when accessing EWS but writing a console application that sends an email message - the message is succesfully sent and Windows security log shows that Kerberos is used.
- Created a domain user account to be used by C2WTS and set SPN for it:
C2WTS/spwfe - DOMAIN\sp_c2wts
C2WTS/spwfe.domain.local - DOMAIN\sp_c2wts - Enabled constrained delegation with protocol transitioning for sp_c2wts by delegating to HTTP/exch and HTTP/exch.domain.local (although in most of the articles I've read it's said that it doesn't matter to which SPN you set the delegation since it's needed only to allow the service to successfully create Kerberos tokens).
- Created SPNs for the SharePoint Web-application pool account ("spwfe" is the physical name of the WFE server, "portal" is the name through which SharePoint is accessed by the users, it's an A record in the DNS):
HTTP/spwfe - DOMAIN\sp_pool_web
HTTP/spwfe.domain.local - DOMAIN\sp_pool_web
HTTP/portal - DOMAIN\sp_pool_web
HTTP/portal.domain.local - DOMAIN\sp_pool_web - Enabled constrained delegation with protocol transitioning for DOMAIN\sp_pool_web to the C2WTS and Exchange HTTP SPNs
- Verified that Kerberos is used when users access SharePoint site (Windows security log confirms it).
Now I'm trying to make it all work together by sending email message (the code is the same as with the console application, plus the impersonation), but it doesn't work at all. The code is:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
//upn is a string containing user principal name
WindowsIdentity windowsIdentity = Microsoft.IdentityModel.WindowsTokenService.S4UClient.UpnLogon(upn);
using (var impersonationCtx = windowsIdentity.Impersonate())
{
// Dummy cerificate validation
ServicePointManager.ServerCertificateValidationCallback = CertificateValidationFunction;
var exchSvc = new ExchangeService(ExchangeVersion.Exchange2010);
// tried it with exchSvc.Credentials = CredentialCache.DefaultNetworkCredentials
// the same result
exchSvc.UseDefaultCredentials = true;
exchSvc.Url = new Uri("https://exch.domain.local/EWS/Exchange.asmx");
var message = new Microsoft.Exchange.WebServices.Data.EmailMessage(exchSvc);
message.Subject = "Test Kerberos auth";
message.Body = "This is a test message";
message.ToRecipients.Add("TestUser", "test_user@domain.local");
message.SendAndSaveCopy();
}
});On SendAndSaveCopy I always get 401 from EWS and looking it the security log on the Exchange VM shows that the access was attempted with NTLM and as NT AUTHORITY\ANONYMOUS LOGON (if I comment out the impersonation then the access is performed as sp_pool_web account using Kerberos).
So, the question is: where is the error that prevents it all from working - in the code or in the domain setup?
Or maybe I'm trying to achieve the unachievable and the required actions can not be done? :-)