Exchange 2010 Impersonation trouble when requesting a User's Calendar Availability Details - calendar

I'm working on project where an external application is trying to get the availability info (Free/busy) along with the details (Location/Subject/etc) for group of users in Exchange 2010.
I've read enough that I think that the best way to do this is through a service account run by the application that impersonates the user in question and pulls back their calendar information.
I've set up impersonation for the service account and run the basic test that I found on technet: http://msdn.microsoft.com/en-us/library/bb204088(v=exchg.140).aspx
This works for pulling back the mailbox folder (as the example) and if try to pull back the calendar folder.
I also found how to get availability via technet:
http://msdn.microsoft.com/en-us/library/aa563800(v=exchg.140).aspx
which will also work if I login as the user that I'm trying to find the calendar info for.
The problem comes when I try to combine both the impersonation XML with the get availability. Here is what I have for the two combine:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<soap:Header>
<t:ExchangeImpersonation>
<t:ConnectingSID>
<t:PrincipalName>[usersname#myorg.org]</t:PrincipalName>
</t:ConnectingSID>
</t:ExchangeImpersonation>
</soap:Header>
<soap:Body>
<GetUserAvailabilityRequest xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<t:TimeZone xmlns="http://schemas.microsoft.com/exchange/services/2006/types">
<Bias>300</Bias>
<StandardTime>
<Bias>0</Bias>
<Time>02:00:00</Time>
<DayOrder>1</DayOrder>
<Month>11</Month>
<DayOfWeek>Sunday</DayOfWeek>
</StandardTime>
<DaylightTime>
<Bias>-60</Bias>
<Time>02:00:00</Time>
<DayOrder>2</DayOrder>
<Month>3</Month>
<DayOfWeek>Sunday</DayOfWeek>
</DaylightTime>
</t:TimeZone>
<MailboxDataArray>
<t:MailboxData>
<t:Email>
<t:Address>[usersname#myorg.org]</t:Address>
</t:Email>
<t:AttendeeType>Required</t:AttendeeType>
<t:ExcludeConflicts>false</t:ExcludeConflicts>
</t:MailboxData>
</MailboxDataArray>
<t:FreeBusyViewOptions>
<t:TimeWindow>
<t:StartTime>2011-07-28T00:00:00</t:StartTime>
<t:EndTime>2011-07-28T23:59:59</t:EndTime>
</t:TimeWindow>
<t:MergedFreeBusyIntervalInMinutes>5</t:MergedFreeBusyIntervalInMinutes>
<t:RequestedView>DetailedMerged</t:RequestedView>
</t:FreeBusyViewOptions>
</GetUserAvailabilityRequest>
</soap:Body>
</soap:Envelope>
What I get back is this:
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<s:Fault>
<faultcode xmlns:a="http://schemas.microsoft.com/exchange/services/2006/types">a:ErrorProxyRequestNotAllowed</faultcode>
<faultstring xml:lang="en-US">Client context header found but no request type found in SOAP header.</faultstring>
<detail>
<m:ErrorCode xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages">5015</m:ErrorCode>
</detail>
</s:Fault>
</s:Body>
</s:Envelope>
Digging around a little more in technet, the ErrorProxyRequestNotAllowed info:
"This error indicates that the request that Exchange Web Services sent to another Client Access server when trying to fulfill a GetUserAvailability request was invalid. This response code typically indicates that a configuration or rights error has occurred, or that someone tried unsuccessfully to mimic an availability proxy request."
What I'm having trouble with, is how impersonation seems to be working in the cases where I'm pulling back the user's mail and calendar folders, but not working for the case where I want to check their availability.
Right now, I'm just sending the straight XML via curl (wrapped in a little python script).
Anyone have any pointers? Thanks in advance!

I finally found a few (old) references that this is known feature/bug with GetUser[blank]Request style calls and Impersonation.
The two just do not work together. I hope this save someone a little time.

Related

#linkedin LinkedIn API stopped functioning in Salesforce

We had built widgets for LinkedIn in Salesforce (Force.Com) Enterprise Version Environment using their API which has stopped working from some time. It is causing major Inconveniences for the affected users. Kindly share if similar issue has been noticed at your end and a fix for it.
Here are the steps we performed till date:
After achieving the successful authentication using Oauth 2.0,we are using “people search” for the LinkedIn search functionality.
Response we were getting , when we were making a GET request for the people search API:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error>
<status>403</status>
<timestamp>1433254195523</timestamp>
<request-id>PY4LJUNDOX</request-id>
<error-code>0</error-code>
<message>Access to people search denied.</message>
</error>
Starting from May 12, 2015, Linkedin has limited the open APIs.
Access to Groups requires that you apply for and are granted access to this information from LinkedIn.
The following endpoints are available for general use:
Profile API — /v1/people/~
Share API — /v1/people/~/shares
Companies API — /v1/companies/{id}
If your application is currently using any other API services (e.g. Connections, Groups, People Search, Invitation, Job Search, etc.) you will have to apply to become a member of a relevant Partner Program that provides the necessary API access to continue to leverage any of the endpoints that are not listed above.
Check out this link for the list of API changes that were announced.

vCloud: Create and configure a vm in vApp

I am trying to deploy Virtual Machines from a template into a vApp using the vCloud rest API. I feel that there should be a way to configure a vm as I am spawning it (Since the UI seems to do that) but haven't found a way.
I've been focusing my efforts on recomposing a vApp to add a vm to it. The below example will add a vm but I haven't figured out to configure the vm until after it has been created. Specifically I want to set the VM Name, host name, and IP settings of the vm.
<?xml version="1.0" encoding="UTF-8"?>
<RecomposeVAppParams
xmlns="http://www.vmware.com/vcloud/v1.5"
xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1">
<SourcedItem sourceDelete="false">
<Source href="templateUri" />
</SourcedItem>
<AllEULAsAccepted>true</AllEULAsAccepted>
</RecomposeVAppParams>
After the vm is created I can reconfigure it but neither the network settings or host name actually change. The vCloud Director UI tells me they have changed but looking on the guest os shows that the settings have not changed.
Change host name example (doesn't work):
<vcloud:GuestCustomizationSection
xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
href="vmUri/guestCustomizationSection/"
ovf:required="false"
type="application/vnd.vmware.vcloud.guestCustomizationSection+xml">
<ovf:Info>Specifies Guest OS Customization Settings</ovf:Info>
<vcloud:ComputerName>newName</vcloud:ComputerName>
</vcloud:GuestCustomizationSection>
Has anyone been able to configure a VM as you deploy it. Otherwise does anyone know how to effectively configure settings of a VM after it has been deployed. Working XML examples would be amazing but I would still appreciate help in other forms.
The closest I have been able to come to this is to deploy a vApp from a catalog somewhat customizing it in the process. This is not exactly what you asked for, but I hope it helps.
<?xml version="1.0" encoding="UTF-8"?>
<InstantiateVAppTemplateParams
xmlns="http://www.vmware.com/vcloud/v1.5"
xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
name="<MyVappName"
deploy="false"
powerOn="false">
<Description>vApp I deployed through REST API...</Description>
<InstantiationParams>
<NetworkConfigSection>
<ovf:Info>Configuration parameters for logical networks</ovf:Info>
<NetworkConfig networkName="App-Network-1">
<Configuration>
<ParentNetwork href="https://vcd-url/api/network/331a8ee3-33fd-4e4a-878e-1a6dce772fea" />
<FenceMode>bridged</FenceMode>
</Configuration>
</NetworkConfig>
</NetworkConfigSection>
</InstantiationParams>
<Source
href="https://vcd-url/api/vAppTemplate/vappTemplate-d11de298-3041-2ae2-5e81-3ac2b4255423" />
</InstantiateVAppTemplateParams>
Just use the SDK for this task. Download the example and the library. Add the library to proj and call function from there. The SDK has already and Utility library that handle the http communication with the vcloud creating the requests and serve the answers using serialization.
If you really want to do the request by yourself you just run the example in SDK put Fiddler to spy the communication and get the exact request and reproduce it.
I know because first time I have started making http request using the documentation and get in trouble.

Accessing files in the Google Cloud Storage from two different google cloud projects

Consider the following situation:
I have two AppEngine projects: A and B
I have a Cloud Storage bucket with the following ACL:
<?xml version="1.0" ?>
<AccessControlList>
<Owner>
<ID>id-of-the-user-who-created-the-bucket</ID>
</Owner>
<Entries>
<Entry>
<Scope type="UserByEmail">
<EmailAddress>app-A-service-account-name</EmailAddress>
</Scope>
<Permission>FULL_CONTROL</Permission>
</Entry>
<Entry>
<Scope type="UserByEmail">
<EmailAddress>app-B-service-account-name</EmailAddress>
</Scope>
<Permission>FULL_CONTROL</Permission>
</Entry>
</Entries>
</AccessControlList>
My GAE applications are written in Python and they are using GCS Client Library
Now, here is what I want to achieve: I want application A to create files inside the bucket and then application B to read them.
At first I tried to simply create a file with cloudstorage.open(file_name, 'w') and then read its status with cloudstorage.stat(file_name, 'r'), but this way I end up with the following error while reading:
ForbiddenError at /.../
Expect status [200] from Google Storage. But got status 403.
(The error message provides also request/response information: path, headers, body and extra info. Please let me know if you think they may be helpful in solving this case)
Then I started experimenting with ACLs by setting the x-googl-acl option while creating a file, for example:
cloudstorage.open(file_name, 'w', options={'x-goog-acl': 'authenticated-read'})
Although ACLs work as intended, none of the available options seem to fit my requirements:
private - only the bucket owner has the access, B cannot read
public-read - file is accessible by anonymous users, unacceptable
public-read-write - same as above
authenticated-read - everyone with authenticated account is able to read (even people who are not part of the project), so it's no different than the previous option
bucket-owner-read - seems perfect, but it turns out that "the bucket owner" is NOT the user who was set as "owner" through the Cloud Console, but the user who created the bucket
bucket-owner-full-control - same as above
It looks like I ran out of options, but I can't believe that such a simple thing cannot be achieved with the Cloud Storage. The only solution that comes to my mind is changing system's architecture, but I would like to avoid it. Any other suggestions?
Add the accessor Service Accounts (e.g. app1#appspot.gserviceaccount.com or 1234567890-compute#developer.gserviceaccount.com for compute engine) as member with 'Editor' permission on project with the GCS bucket to use. This can be done in IAM page of the project that owns the bucket:
https://console.developers.google.com/iam-admin/iam/project?project=app1

LinkShare Merchandiser API web service throws error 7187145 (FSW server connection)

I started an app using the LinkShare Merchandiser Query API and queries against it were working just fine. I was able to run queries via IE, my app or Yahoo Pipes (the approach I settled on - feed my app from the service via Yahoo Pipes).
After a week or two of using this service while developing my app, it started to randomly return errors about 1 in 5 queries, always after what it seemed to be a timeout (response took 5+ sec). Now that I'm resuming the project after a 2-week hiatus, the query does not work at all. Not even once.
The error is always the same, same as what used to be when it randomly failed. It seemed (and still seems) to me that it is an internal problem on their side but I can't believe it has been (and is) broken 100% of the time for the past 48h.
Any query fails. A sample:
http://productsearch.linksynergy.com/productsearch?token=**token**&keyword="DVD+Player"&cat="Electronics"&MaxResults=20
And its response:
<?xml version="1.0" encoding="UTF-8"?>
<result>
<Errors>
<ErrorID>7187145</ErrorID>
<ErrorText>Internal error 18171650 occurred: FSW server connection.</ErrorText>
</Errors>
</result>
There is no documentation, cannot find any mentions of this on the web and have received no response from them as of yet. I'm not sure where to go from this at this point.
Ideas? Experiences? Should I dump this approach and start anew with a different provider? Any input will be appreciated.

Custom Domain Service Fails but Authentication Works (Silverlight Biz App Template)

I'm hosting a Silverlight Business Application Template derived application on an IIS Server. I'm using the built-in Forms Authentication which is working perfectly.
Unfortunately, I've added an additional service which has peculiar behavior. If I remote into the server and use the site everything works as expected. If I connect to the site from another PC, Authentication still works but my custom Domain Service is failing with the following error:
IE Throws this Error Message:
System.ServiceModel.DomainServices.Client.DomainOperationException:
Load operation failed for query
'Get___'. Exception of type
'System.ServiceModel.DomainServices.Client.DomainOperationException'
was thrown.
I tried debugging the process and get a little more information:
System.ServiceModel.DomainServices.Client.DomainOperationException:
Load operation failed for query
'Get___'. The remote server returned
an error:NotFound. --->
System.ServiceModel.CommunicationException:
...
My clientaccesspolicy and crossdomain policies are in both wwwroot and the root of the website and are the following:
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*" />
<domain uri="http://*" />
<domain uri="https://*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
The Domain Service that's failing is using an ADO.NET Entity Model. The entities of which are in the same the aspnetdb database that is used for authentication and I've granted file permissions for the IIS User (and Administrator, I got desperate) for the App_Data folder which contains the db.
Again, all services work if connecting locally on the server. Only the Auth/Registration services works when connecting remotely.
I've searched for two days and tried every solution I can find but can't seem to get it working. Any advice or direction would be greatly appreciated.
Although this is pretty late for your project but it might help somebody else. Sounds like you are having problem with authenticating to the underlying database. You may want to look into what sort of impersonations are happening at database level.
I had a similar problem, and it turned out that I was trying to access the database as Sliverlight client pc account which never existed in authorized accounts (although my authentication was working perfectly just like in your case). Changing the Application Pool Identity fixed it for me (I was using Network Service account on a PC joined to a domain which uses Computer$ account to login on your behalf)
When you run into CommunicationException, you really want to look at InnerException which will tell what is the real issue.
If there's nothing then you'll need to debug on server side (step through service) to see what is throwing the exception.
CommunicationException occurs if an Exception is thrown on WCF server side and not wrapped into a fault causing the channel to become faulted (in my limited experience at least).
Hope this helps somebody.
WCF Tracing didn't help me! It gives an Empty message.
Finally,
FOR MY CASE,
I removed [RequiresAuthentication] like attributes from methods
I removed [RequiresAuthentication] from Domain Service Class (check all partials)
If it works on local but not on server it must be a configuration problem. In my case I used membership.ResetPassword() function which is disabled in web.config as enablePasswordReset=false.
Beside this some people says some methods just invoke-able in asp.net.compatibility mode.
Hope helps someone else.

Resources