Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security issues with MAPI

0 views
Skip to first unread message

Jeff McKay

unread,
Nov 30, 2009, 4:56:31 PM11/30/09
to
I've got a MAPI application that is intended to access various
accounts on an Exchange server. We tell customers to create a
"service account" that has Receive-As and Send-As privs so that
we can do this. The customer logs on to the network using this account
and it works fine.

So now I've got another customer who is not quite willing to do this.
They can create the account, but the workstation running our application
must log on using a standard user account. They want our software
to "impersonate" the service account (assuming of course, that we have
the password for it). Our software actually gets spawned by a
master scheduling facility, so my thought was that I would do this by
using the API CreateProcessWithLogonW(). This call works, in that
it accepts the service account credentials and runs the MAPI app,
but then the MAPI code fails, with OpenMsgStore() returning
MAPI_E_UNCONFIGURED. (When logged in using the serivce account, the
same code works fine).

Would I need to use LogonUser() and/or ImpersonateLoggedOnUser() to
accomplish what I need? I would think this basically does the same
thing that CreateProcessWithLogonW() does.

Dmitry Streblechenko

unread,
Nov 30, 2009, 9:06:49 PM11/30/09
to
CreateProcessWithLogonW is much better than ImpersonateLoggedOnUser.
Does that user have any local rights? Was it added to the list of local
users?

--
Dmitry Streblechenko (MVP)
http://www.dimastr.com/
OutlookSpy - Outlook, CDO
and MAPI Developer Tool
-
"Jeff McKay" <jeff....@comaxis.com> wrote in message
news:_bCdnZ-Wrsw1oonW...@supernews.com...

Jeff McKay

unread,
Nov 30, 2009, 11:32:55 PM11/30/09
to
What user are you asking about - the service account, or the standard
account? What local rights would it need,
and what list of local users are you referring to?

"Dmitry Streblechenko" <dmi...@dimastr.com> wrote in message
news:ea9S$ticKH...@TK2MSFTNGP04.phx.gbl...

Dmitry Streblechenko

unread,
Dec 1, 2009, 12:30:02 PM12/1/09
to

The accoun that you specify in the call to CreateProcessWithLogonW.
That user would at least need some rights to access the registry, network,
etc.
By the list of local users I mean the "User Accounts" Control Panel applet.

--
Dmitry Streblechenko (MVP)
http://www.dimastr.com/
OutlookSpy - Outlook, CDO
and MAPI Developer Tool
-
"Jeff McKay" <jeff....@comaxis.com> wrote in message

news:hdSdnWjnduoMAYnW...@supernews.com...

0 new messages