When I look at the PE logs, I see :

11:47:55.550 |system.pe.pa.owa.backend 1241894 INFO received SUBSCRIBE response for doug.davidson@epl.net: 401 Unauthorized
HTTP/1.1 401 Unauthorized
x-powered-by: ASP.NET
date: Wed, 23 May 2012 16:47:54 GMT
content-length: 0
set-cookie: exchangecookie=895f546a4d8d43f1bd481f052f4e43e7; expires=Thu, 23-May-2013 16:47:55 GMT; path=/; HttpOnly
www-authenticate: Negotiate, NTLM, Basic realm="webmail.epl.net"
server: Microsoft-IIS/7.5

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <----QMS::SUBSCRIBE doug.davidson@epl.net

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG -->SessionManager::setConnected: webmail.epl.net:443 0

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--SessionManager::setConnected 0

11:47:55.550 |system.pe.pa.owa.backend 1241894 ERROR -->EWSSubscription::initiateRecovery: doug.davidson@epl.net POST 3 Authentication failure on server; Could not authenticate to server: ignoring empty Negotiate continuation, rejected NTLM challenge, rejected Basic challenge

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::clearResubscribe

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::scheduleResubscribe - interval (secs): 1080

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::initiateRecovery: POST

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--EWSSubscription::processSubscribeRequest

11:47:55.550 |system.pe.pa.owa.backend 1241894 DEBUG <--QMS::SUBSCRIBE

The account in the Exchange gateway is domain\ExCalendar.

We are running AD 2003.

Thanks,

Doug

Hi Doug/Jasmeet,

Was there ever a work around to get this working, I've got the exact same problem with Exchange 2010 EWS and on Win2008.

The AD configured email address doesn't match the actual internal address used in Exchange, e.g. john.doe@domain.com is configured in the AD End User information.

However the real Exchange address is jdoe16@domain.internal

Jasmeet, what impact does the format of the impersonation account have?

I have entered our impersonation account for the gateway as domain\cupimacc

Regards,

Mike.

Hi Michael

So your 'mail' attribute in CUCM has john.doe@domain.com, or jdoe16@domain.internal?

The format of the imp account in the CUPS config should usually be as you have it - domain\username. That's the default format for OWA/EWS and isn't usually changed.

Aaron

Hi Aaron,

The CUCM mail attribute is john.doe@domain.com, this is sync'ed from AD. Our example user id is jdoe16.

The Exchange guys tell me internally to Exchange all the email accounts are @domain.internal, somehow they these two email addresses map to the same user.

Exchange EWS requires the CUP server to subscribe as domain\userid, but debugs are showing john.doe@domain.com not domain\userid

Is there a parameter that will allow me to configure the domain\username for the Exchange EWS?

When we log in to Jabber the we use userid and password, the jabber  domain is domain.com.au, which is configured in the CUP server.

Regards,

Mike.

Hi,

i have also a problem with calendar status. Looks like yours. See here the PE log:

10:29:13.288 |system.pe.pa.owa.backend 1244158 ERROR -->EWSSubscription::initiateRecovery:

@

POST 3 Authentication failure on server; Could not authenticate to  server: ignoring empty Negotiate continuation, rejected Basic challenge

AD proxy adress for users is -> SMTP: @

Impersonation User configuration in CUPS -> domain\user

How could i simply verify impersonation user have the right permissions?

Any suggestions how to fix?

Regards

Thorsten

Hi

It's normal to see auth fails, usually followed by another connection where CUPS sends the credentials - it's a bit like when you browse to something password protected; you see the auth dialog in internet explorer as a result of receiving a permissions error, the retry with permissions.

You can use a free SOAP tool to test your impersonation permissions :

https://supportforums.cisco.com/community/netpro/collaboration-voice-video/unified-comm-application/blog/2012/12/04/using-the-soap-tool-to-verify-ews-permissions-for-unity-connection-sib-cases

Aaron

Thx for the Tool. Great. :-)

There was also a problem with impersonate user but i have still a problem with status. I have make a detailed trace now:

14:53:05.723 |system.pe.pa.owa.backend 1243654 INFO received FINDITEM response for @: 401 Unauthorized

HTTP/1.1 401 Unauthorized

x-powered-by: ASP.NET

date: Mon, 11 Feb 2013 13:52:17 GMT

content-length: 0

www-authenticate: Negotiate, NTLM, Basic realm=""

server: Microsoft-IIS/7.0

This is what i got often in the log.

Any suggestion?

Hi

So I take it the tool can impersonate this user OK?

Did you specify the same username format that you used in CUPS admin? And did you use basic auth with the test tool?

Aaron

Yes, impersonate works.

What do you mean with same user format as CUPS admin? Could you give me an example?

Hi

I mean if you can connect with the same CUPS service account, and impersonate the user, then the permissions must be OK.

That kind of leaves 'something else' as the problem - so I'm wondering if you are using the same authentication settings in the SOAP tool that CUPS is using. E.g. ticking the 'force basic auth' option, and specifying the usename as domain\cupsserviceaccount for example?

Aaron

Ok. Very good input. I will check tomorrow morning. I have now no access to that machine. :-/

Looks also good.

"Success">NoError

Is there any resolution on your issue yet? I'm seeing the same exact issue. We appear to have all of the correct permissions on the Exchange side configured correctly. I can log into OWA using the service account we are using under the Presence gateway for EWS. We are getting the 401 Authorized Failure messages in the debug traces from the CUPS server.

I'm using the SOAP tool to test impersonation, but I'm not 100% sure what URL the presence server is using in the backend to connect to Exchange 2010. If I do the SOAP tool test and have autodiscover fill in the URL, I am getting a success when using GetFolder and Inbox on another user's account. However, the URL it picked is not the same one we have defined in the Presence gateway. We have about 6 CAS servers and 6 mailbox servers in our setup. 3 are in one Data Center and 3 are in another Data Center. We're using F5 load balancers to accomodate all of the servers and their traffic.

The URL we have specified in our Gateway configuration is cupsowa.corp.tmnas.com. Is Presence going to /owa? /exchange? What is the URL it is actually using in the background?