http://social.technet.microsoft.com/Forums/office/en-US/6fb7d781-e953-4bb4-888c-e3c012e69c1f/web-services-managed-api?forum=exchangesvrdevelopment
Hey,
I have an ASP.NET web site, which is on a dedicated IIS 7.5 server. The web site has Windows Authentication and I would like to use Exchange Web Services API,using the currently logged in user. I believe I am having a 'double hop issue' with NTLM:
Client PC > IIS Server > Exchange Server
I do exactly this to SQL databases:
Client PC > IIS Server > SQL Server
With SQL, I set it up to use a domain user account for the SQL service, enabled delegation on the IIS computer account, and set the SPNs for the SQL domain user account. This makes Kerberos work fine and I can access the SQL database from the IIS server as the currently logged in user.
I cannot for the life of me get this working for Exchange Web Services. I have been through the process of setting up Kerberos on Exchange (http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx) but this does not work for me.
Inspecting the EWS logs, it's trying to connect as domain\IIS computer account, so domain\SEV-WEB01$. This stinks of double hop.
I tried using a domain account for the Application Pool Identity in IIS. Doesn't work either.
To mimic the SQL setup exactly, I would say the EWS service (if there is one) would need a domain account with SPNs setup, but this doesn't seem possible (just for the EWS service).
As you may have seen from the thread I linked to at the top, the only way it seems possible is to use Classic Pipeline mode in IIS along with Impersonation.
My understanding is that Kerberos and Impersonation are entirely different, and Kerberos DOES NOT NEED Impersonation to work, which would seem correct as Kerberos from IIS to SQL works without it.
Any ideas?
Thanks