CDOEXM.CreateMailbox -- Catastrophic failure...

CDOEXM.CreateMailbox -- Catastrophic failure...

Post by Michael J. Pa » Thu, 03 Jul 2003 22:40:07



OS: Windows 2003.
Exchange Server: 2000 and 2003.
Development platform: Visual Studio 2003.
Application: VB asp.net Web application.

ISSUE:

An Asp.net Web application previously developed (and working) under
Windows 2000/Visual Studio 2000 using CDOEXM to create user mailboxes
now reports the following error when calling the CDOEXM.CreateMailbox
method:

Catastrophic failure
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException:
Catastrophic failure

The code used is directly from the MSDN examples for mailbox-enabling
AD users using ADSI.
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/...).

The project is configured to impersonate a user with full
administrative rights to the domain as well as the Exchange servers.
This user can create a mailbox using the MMC console.

I've tried using the CDOEXM dll from the Exhcnage 2000 CD and from the
Exchange 2003 Beta download. I've also tried adding a mailbox to the
2000 Exchange server as well as the 2003 Exchange server. The domain
has been forest prepped and domain prepped, but is still a 2000
domain. The Exchange 2003 forestprep and domainprep were run, and the
Exchange 2003 System Managment Tools is loaded on the development
machine.

Are there some new permission issues that I'm overlooking? Is CDOEXM
compatible with the Windows 2003 AD? Any other ideas?

M

 
 
 

CDOEXM.CreateMailbox -- Catastrophic failure...

Post by Fabio Pintos [MSFT » Tue, 08 Jul 2003 15:08:37


From what I understand your application breaks when going from w2k to w2003,
nothing else changes, right?
I believe the issue is a change in the AD security - see if this makes sense
to you and keep in mind I may be wrong about it:

When you impersonate a user the thread does not have permissions to "go out
of the box" - the program cannot do a remote call to another server in your
behalf. This is to prevent a malicious server from impersonating a user and
then going off to other servers and doing bad things. The most one can do is
try to connect to another server anonymously (i.e., for the second server,
the first one would look as "Everyone" instead of the user that started the
request).

If I remember correctly, in w2k one could query the global catalog
anonymously. We do that during CreateMailbox in order to assign the mailbox
a unique legacyExchangeDN. Your application worked fine because it hit the
GC as Everyone and it was granted read access. However, you will agree that
this may be a security problem as anyone could read the info. Windows 2003
removed that so only authenticated users can connect. Now your application
fails because CDOEXM fails to get a unique legacyExchangeDN for the mailbox
since we don't have a way to check for uniqueness.

You can grant Everyone permissions to read everything and check if this is
the case. If it is and you run you app as a some privileged account or local
system, revert the impersonation while you call CDOEXM and then revert back
to the user token when you're done. The computer account should be able to
read the AD for CDOEXM to succeed. I know, it's *.

--
-Fabio Pintos

--------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
--------------------------------------------------------------------



Quote:> OS: Windows 2003.
> Exchange Server: 2000 and 2003.
> Development platform: Visual Studio 2003.
> Application: VB asp.net Web application.

> ISSUE:

> An Asp.net Web application previously developed (and working) under
> Windows 2000/Visual Studio 2000 using CDOEXM to create user mailboxes
> now reports the following error when calling the CDOEXM.CreateMailbox
> method:

> Catastrophic failure
> Description: An unhandled exception occurred during the execution of
> the current web request. Please review the stack trace for more
> information about the error and where it originated in the code.

> Exception Details: System.Runtime.InteropServices.COMException:
> Catastrophic failure

> The code used is directly from the MSDN examples for mailbox-enabling
> AD users using ADSI.

(http://www.veryComputer.com/
do_imailboxstore_createmailbox.asp).

- Show quoted text -

Quote:

> The project is configured to impersonate a user with full
> administrative rights to the domain as well as the Exchange servers.
> This user can create a mailbox using the MMC console.

> I've tried using the CDOEXM dll from the Exhcnage 2000 CD and from the
> Exchange 2003 Beta download. I've also tried adding a mailbox to the
> 2000 Exchange server as well as the 2003 Exchange server. The domain
> has been forest prepped and domain prepped, but is still a 2000
> domain. The Exchange 2003 forestprep and domainprep were run, and the
> Exchange 2003 System Managment Tools is loaded on the development
> machine.

> Are there some new permission issues that I'm overlooking? Is CDOEXM
> compatible with the Windows 2003 AD? Any other ideas?

> M