We have a client running an intranet application with the app pool identity set up as NetworkService. This means the app will present itself to other services as Domain\ComputerName$ user.

There is a shared mailbox set up on Exchange 2013. The application connects to the mail server to download emails from the mailbox. It uses EWS Managed API, but that shouldn't matter in this scenario.

How do I give a computer account full access to the shared mailbox? It does not appear as a user under Full Access permissions box. That seems to be a trivial security configuration, but I can't find a way to do it.

We've also tried Add-MailboxPermission -Identity "domain\computername$" -User "shared mailbox" -AccessRights 'FullAccess' but to no avail. I get computername$ wasn't found error. I tried different options for Identity, like FQDN or full AD name, but still the same error.

thanks, 

Rory

Question also asked here: http://stackoverflow.com/questions/30999672/give-networkservice-domain-computername-permissions-to-access-exchange-server

• Edited by Rory PS 19 hours 55 minutes ago

Hi Rory

You wouldn't be able to assign a permission for a mailbox (room mailbox,user mailbox,equipment mailbox) to a computer object  since the exchange would be able to impersonate permissions only for a user account with mailbox.

Better you can try creating an service account and use that service account to connect to this shared mailbox and then download the emails

Thanks Sathish, yes I can create a service account but that increases the amount of IT setup required for any companies installing our software. I was hoping to find a way they can give access to the existing machine account to avoid needing to create a new service account (especially as in large companies it's usually a different team that needs to create such accounts).

regards, 

Rory

Thanks Sathish, yes I can create a service account but that increases the amount of IT setup required for any companies installing our software. I was hoping to find a way they can give access to the existing machine account to avoid needing to create a new service account (especially as in large companies it's usually a different team that needs to create such accounts).

regards, 

Rory

Almost every product requires some sort of Service Account for some of their functions.  it is unfortunately the way AD, exchange and permissions have been designed.  Service Accounts are much better security wise too (you can allow permissions only to what the account needs to access and not everything).  Trusting an entire machine for access to a mailbox seems like a recipe for trouble to me.

Thanks Sathish, yes I can create a service account but that increases the amount of IT setup required for any companies installing our software. I was hoping to find a way they can give access to the existing machine account to avoid needing to create a new service account (especially as in large companies it's usually a different team that needs to create such accounts).

regards, 

Rory

Hi Rory,

Thank you for your question.

Because the computer name is not the identity of the mailbox, we dont add permission for this computer name. we suggest you create a new service account. If not, you could post this case to Exchange develop forum to check if they could help you:

https://social.technet.microsoft.com/Forums/exchange/en-us/home?forum=exchangesvrdevelopment

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim