Symantec Email Submission Client (SESC) does not process email spam submission when missing Exchange impersonation rights

Article:TECH192597  |  Created: 2012-07-09  |  Updated: 2013-10-26  |  Article URL http://www.symantec.com/docs/TECH192597
Article Type
Technical Solution


Issue



There are spam submissions in the SESC spam submission folder.  The spam submissions stay in the submission folder and are not processed by SESC. The SESC console does not increase the Failed counter.  This counter is displayed at the top of the SESC console.

Conditions

  • SESC debug logs contain the following error message:

[::]2012-07-09 07:21:43,583, [26], ERROR, Symantec.Submission.Exchange.Client.ExchangeItem, Microsoft.Exchange.WebServices.Data.ServiceResponseException: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.

See the following article for details on the SESC debug logs: How to Obtain Debug logs for Symantec Email Submission Client (SESC).

  • SESC service account does not have Exchange impersonation permission

Exchange 2007

1. Open the Exchange Management Shell.
2. Run the following Powershell command:

get-adpermission -id <casserver> | where {$_.ExtendedRights -like "ms-Exch-EPI-Impersonation" } | ft -autosize

where <casserver> is the name of the CAS server used by SESC.  The following is an example where the CAS server is CAS01:

get-adpermission -id cas01 | where {$_.ExtendedRights -like "ms-Exch-EPI-Impersonation" } | ft -autosize

If the result output does not contain a "Deny" false rights then this condition is met.  The following is an example where the SESC service account does not have permissions:

Identity    User                                              Deny Inherited Rights
--------    ----                                              ---- --------- ------
EXMB1       EXCHANGE2007\Domain Admins                        True True      ms-Exch-EPI-Impersonation
EXMB1       EXCHANGE2007\Schema Admins                        True True      ms-Exch-EPI-Impersonation
EXMB1       EXCHANGE2007\Enterprise Admins                    True True      ms-Exch-EPI-Impersonation
EXMB1       EXCHANGE2007\Exchange Organization Administrators True True      ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Domain Admins                        True True      ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Schema Admins                        True True      ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Enterprise Admins                    True True      ms-Exch-EPI-Impersonation
EXMB1\EXMB1 EXCHANGE2007\Exchange Organization Administrators True True      ms-Exch-EPI-Impersonation  

 

 The following output shows when the SESC account has impersonation permission:

 

Identity                User                                              Deny  Inherited Rights
--------                ----                                              ----  --------- ------
EXCHANGECAS             EXCHANGE2007\administrator                        False False     ms-Exch-EPI-Impersonation
EXCHANGECAS             EXCHANGE2007\Domain Admins                        True  True      ms-Exch-EPI-Impersonation
EXCHANGECAS             EXCHANGE2007\Schema Admins                        True  True      ms-Exch-EPI-Impersonation
EXCHANGECAS             EXCHANGE2007\Enterprise Admins                    True  True      ms-Exch-EPI-Impersonation
EXCHANGECAS             EXCHANGE2007\Exchange Organization Administrators True  True      ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\administrator                        False True      ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Domain Admins                        True  True      ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Schema Admins                        True  True      ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Enterprise Admins                    True  True      ms-Exch-EPI-Impersonation
EXCHANGECAS\EXCHANGECAS EXCHANGE2007\Exchange Organization Administrators True  True      ms-Exch-EPI-Impersonation


Cause



The SESC service account needs Exchange impersonation permisssion to function.


Solution



Provide Exchange impersonation permission for the SESC service account.  See the following article for details: About impersonation rights.

 

 




Article URL http://www.symantec.com/docs/TECH192597


Terms of use for this information are found in Legal Notices