Fix for “The server to which the application is connected cannot impersonate the requested user due to insufficient permission” Cisco Unity Connection Server 9.1 with Exchange 2013

Received the following error message,“The server to which the application is connected cannot impersonate the requested user due to insufficient permission,” when validating a mailbox that pointed to different account (i.e. 7777@garzafx.com) for delivering voicemail to support@garzafx.com.

Here is the technical background for the scenario.

a) Coexistence for Exchange 2007 SP3and Exchange 2013 CU1.

b) Cisco Unity Connection Server version 9.1.2TT1.11900-2TT1.

c) PowerShell command new-ManagementRoleAssignment -Name:RoleName
-Role:ApplicationImpersonation -User:’Account’ applied to Exchange 2013 environment per Cisco article Configuring Cisco Unity Connection 9x and Microsoft Exchange for Unified Messaging.

d) Deleted and recreated the AD account and mailbox (7777@garzafx.com) and migrated back and forth between Exchange 2007 and Exchange 2013, same result.

The whole error message reads as follows:

HTTP status=[200] Diagnostic=[Failed extract folder ID ” from response] Verb=[POST] url=[https://192.168.5.13/EWS/Exchange.ASMX] request=[<?xml version=”1.0″ encoding=”utf-8″?> <soap:Envelope xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xmlns:xsd=”http://www.w3.org/2001/XMLSchema&#8221; xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/&#8221; xmlns:t=”http://schemas.microsoft.com/exchange/services/2006/types”&gt; <soap:Header> <t:RequestServerVersion Version=”Exchange2007_SP1″/> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrimarySmtpAddress>support@garzafx.com </t:PrimarySmtpAddress> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <GetFolder xmlns=”http://schemas.microsoft.com/exchange/services/2006/messages&#8221; xmlns:t=”http://schemas.microsoft.com/exchange/services/2006/types”&gt; <FolderShape> <t:BaseShape>Default</t:BaseShape> </FolderShape> <FolderIds> <t:DistinguishedFolderId Id=”deleteditems”> <t:Mailbox> <t:EmailAddress> support@garzafx.com </t:EmailAddress> </t:Mailbox> </t:DistinguishedFolderId> </FolderIds> </GetFolder> </soap:Body> </soap:Envelope> ] response=[<?xml version=”1.0″ encoding=”utf-8″?><s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/”><s:Header><t:ServerVersionInfo MajorVersion=”8″ MinorVersion=”3″ MajorBuildNumber=”342″ MinorBuildNumber=”0″ Version=”Exchange2007_SP1″ xmlns:t=”http://schemas.microsoft.com/exchange/services/2006/types”/></s:Header><s:Body><soap:Fault xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”><faultcode>soap:Client</faultcode><faultstring&gt;The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</faultstring><detail><e:ResponseCode xmlns:e=”http://schemas.microsoft.com/exchange/services/2006/errors”&gt;ErrorImpersonationDenied</e:ResponseCode><e:Message xmlns:e=”http://schemas.microsoft.com/exchange/services/2006/errors”>The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</e:Message></detail></soap:Fault></s:Body></s:Envelope>]

To fix this issue perform the following steps:

1. Logon to Cisco Unity Connection Server.

ciscocm

2. Select Users and Find target account (i.e. 7777).

3. Verify SMTP address matches the account (i.e. 7777@garzafx.com).

4. Under LDAP Integration Status, select DO NOT INTERGRATE with LDAP DIRECTORY.

cldap
5. Ensure LIST IN DIRECTORY is selected.

6. Click SAVE for changes.

7. Under EDIT USER BASICS choose EDIT then MESSAGE ACTIONS, ensure VOICEMAIL is set to ACCEPT AND RELAY THE MESSAGE.

ciscomessageaction
8. Verify RELAY ADDRESS is set to the different mailbox (i.e. support@garzafx.com).

9. Go to SMTP ADDRESSES ADD PROXY ADDRESS support@garzafx.com and click SAVE.

10. Go to UNIFIED MESSAGING ACCOUNT, under ACCOUNT INFORMATION select option for USE THIS EMAIL ADDRESS enter: support@garzafx.com.

11. Click SAVE, then TEST.

Successfully test results should look like the following:

Task Execution Results
Severity Issue Recommendation Details
The validation results for the user unified messaging service account 7777@garzafx.com with service GFX-Exchange-2013 are the following: Service “GFX-Exchange-2013”: AuthenticationMode=NTLM [use HTTPS/no-validate] Server=[192.168.5.13] Type=[Exchange 2007/2010] Username=[gfx\gfx_svc2013]
Mailbox 7777@garzafx.com was successfully accessed. Connected to 192.168.5.13 using EWS.

Read more:
Configuring Cisco Unity Connection 9x and Microsoft Exchange for Unified Messaging (CISCO)

cisco

2 thoughts on “Fix for “The server to which the application is connected cannot impersonate the requested user due to insufficient permission” Cisco Unity Connection Server 9.1 with Exchange 2013

  1. Hello, We have the same issue with 2 users out of 7300.

    I followed your steps but when I got the step to Relay the Message it asked for a Smart Host. We do not have that.

    Any thoughts?

    Thanks for your help.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s