Archive for July, 2013

July 14, 2013

The dilemma of Double-Hop Dogma

Was wondering about the subject of the post which i am going to write. okay fine and its Double Hop Dogma. This is related to Exchange Web Services API. you can download the API from this link. Let me explain what happened. There was a requirement raised due to the fact that we cant view OWA websites (Outlook Webmail) inside an IFRAME. When we used the OWAInputWebPart the owa site used to display within the ifram of the OWAInputWebPart. Hence there was an exception saying that it cannot be displayed within IFRAME. So as a solution we had to develop our own custom web part to view the inbox emails.

Initially i was playing around with a single mail box and was able to fetch the mails without any problem. I refered this MSDN article for my reference.

binding.Credentials = new NetworkCredential("userid", "password", "domain");

So the above code works fine and was able to read the emails. As the next step the requirement was to read the emails based on the currently logged in user in Share Point. So started working on a new web part for this.

as per the link it says that…

If you want to connect to EWS from a computer that is logged on to the domain, using the credentials of the authenticated user, set the UseDefaultCredentials property on the ExchangeService object to true.

// Connect by using the default credentials of the authenticated user.
service.UseDefaultCredentials = true;

i kept trying the above code to work but unfortunately it didn’t work. I spent full whole day trying on this. I searched on the web and found the blog post about the double hop dogma. it says “The user who’s browsing the application from a client machine passes his credentials to the IIS server, i.e. the credentials of the user hop from the client to the IIS server. Subsequent to that, when the IIS application executes EWS calls, it is supposed to pass those same credentials to the Exchange server, to authenticate the logged on user. This works fine in the ideal scenario, and falters in alternative scenarios.”

They have mentioned following scenarios related to the above sentence as below:

Ideal scenario: Kerberos authentication method is being used within the organization
Frequent Scenarios: The non-ideal scenario is not being observed, i.e. NTLM might be the active authentication mechanism, or Kerberos could be failing and the application falls back on attempting authentication via NTLM which would eventually fail in a double-hop situation.”

In my case when i checked the active directory structure on the client site, i learnt that they are not using the Kebreros authentication instead they are using the NTLM authentication on AD.

So i came across the blog post : Need a way to authenticate to Exchange Web Services and based on the fact which explains that: “Create a service account that has either impersonation rights or delegate access over the employee mailboxes. Then log in as the service account.” I advised the network administrator to create a service account for me. Uplon creating the account i resumed my work as usual.

// Setup connection string
ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2013);
service.Credentials = new NetworkCredential("superadmin", "password", "domain");

Impersonating the service using a difference user id.

// Impersonation
service.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "useremail1@domain.com");

In this place i was able to get the currently logged in user by executing the following code

HttpContext.Current.User.Identity.Name.ToString()

Finally was able to retrieve mail details as below:

SearchFilter searchFilter = new SearchFilter.SearchFilterCollection(LogicalOperator.And, new SearchFilter.IsEqualTo(EmailMessageSchema.IsRead, false));

var inbox = new FolderId(WellKnownFolderName.Inbox);
var iv = new ItemView(9999);

FindItemsResults<Item> findResults = service.FindItems(inbox, searchFilter, iv);

if (findResults.Items.Count > 0)
{
foreach (Item item in findResults.Items)
{
mailboxDetails a = new mailboxDetails();
a.Subject = item.Subject;
}
}

Refer example post here by Jens Willmer.

Please refer the following articles to understand about Exchange Impersonation:

Delegate Access with Exchange Web Services

Exchange Impersonation vs. Delegate Access

The thread i posted on MSDN

Threads which was posted by others:

Exchange Web Services (EWS), GetItem() call produces AccessDenied error

ServiceRequestException Message : Request failed. The remote server returned an error: (401) Unauthorized

Exchange Web Services: UseDefaultCredentials property

please refer some samples related to the Exchange Web Services through this link.

Exchange Tutorial Part 1 – Impresonated Exchange Service Binding

Advertisements