Menu
I'm using Exchange Web Services to Find, Create, Update, and Delete appointments from the calendars for one or more people. The application would be used by a manager to view employees' vacation time, as well as assign appointments based on availability.
In order for this to all work, an authenticated user's credentials must be sent to the web service. So far, the two methods that I have found that would allow for this are 1) passing in the username and password of each user and 2) impersonating a user to use DefaultCredentials. The DefaultCredentials option doesn't work for us because we do not allow impersonating users.
Does anyone know another way?
557
To use OAuth with your application you will need to: Register your application with Azure Active Directory. Add code to get an authentication token to get an authentication token from a token server. Add an authentication token to EWS requests that you send.
Modern Auth (OAuth authentication) for EWS is only available in Exchange Online as part of Office 365. EWS applications using OAuth requires the "Full access to users' mailbox" permission to work. Full Mailbox Access is, therefore, the only permission type that can be granted for EWS Applications.
Note - Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secure authentication method and is supported on Windows 2000 Server and later versions.
The email client sends the username and password to Exchange Online. Note: When Basic authentication is blocked, it's blocked at this step. Exchange Online sends the username and password to Azure Active Directory. Azure Active Directory returns a user ticket to Exchange Online and the user is authenticated.
Are there company policy restrictions preventing you from using impersonation? Are you referring to Windows impersonation or Exchange impersonation?
Depending on which impersonation you cannot use, an alternative might be delegate acess.
If the goal is to let a manager view multiple mailboxes, here are some options:
(1) Grant delegate access to the employee mailboxes to the manager. Depending on the level of delegate access, this would allow the manager to view the employee mailboxes and edit as needed. There is one caveat about this approach, depending on what/how the access is granted, the delegate (employee) could remove the access, and stop the manager from viewing their calendars.
For authentication using delegate access, assuming the application using web services was running under the manager's context, you should be able to use DefaultCredentials.
(2) Create a service account that has either impersonation rights or delegate access over the employee mailboxes. Then log in as the service account.
As well, here are some links you might find useful...
168
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
