Troubleshooting Exchange/Office 365 administrator's impersonation rights

No matter if you configure EWS connection to source/target Exchange Server or to source Office 365, the second action (test) performed by the program is always granting impersonation rights (Fig. 1.). During this operation, the software checks if the administrator (whose email address was entered in the previous step of the wizard) has application impersonation rights.

Exchange Migration actions EWS
Fig. 1. Actions performed when connecting to a source/target Exchange Server via EWS. The configuration window for source connection to Office 365 looks similar.

If the result is negative (Fig. 2.), the program tries to add such rights for the administrator.

Exchange Migration EWS wizard failure 2
Fig. 2. Failure to grant impersonation rights (this error message looks the same for Office 365 or source Exchange Server connections via EWS).

Tip

To minimize the risk of connection errors, we advise you to enable trust relationship between the source and target server.

Learn more about creating a forest trust on Windows Server 2003 and on Windows Server 2008 and newer.

The wizard's failure to either check or grant impersonation rights may happen because:

  • Your server's WinRM settings have been customized the way WinRM rejects CodeTwo Exchange Migration connections.
  • Admin permissions or role membership on the server have been customized e.g. the account has been improperly configured to be RBAC-compliant and now does not meet all requirements
  • The server's firewall blocks WinRM or incoming PowerShell connections.
  • You have configured a connection with the server by using its IP address, without setting up basic authentication for PowerShell Virtual Directory in IIS.

Aside from the last (rather obvious) case, in other scenarios we strongly recommend to try the below first, to simply rule out wizard imperfections:

  1. Following this Knowledge Base article, check if the admin account has already been granted impersonation rights. If not, grant them manually.
  2. Try the wizard again. Even if it still fails, ignore all errors, click Finish and attempt to normally use the software to migrate.

Only if this does not work, go back to checking all possible reasons. Also, click the Failure link in the wizard window to study the exact error message. A few known errors have been listed below:

  • The server could not be contacted. The LDAP server is unavailable.

This error might be caused by missing impersonation rights. Wizard tries to grant them automatically but when it fails then the above message is shown.

Follow our Knowledge Base article to grant application impersonation rights manually and fix this issue. If the above solution is not helping, try creating a trust relationship between the servers you are migrating.

  • Cannot bind parameter 'Name' to the target.

The error message is produced when the UPN of the user is too long and, therefore, software is not able to check/add impersonation rights properly. Either use a different server domain's admin account with shorter name (global administrator account in the case of Office 365) or add impersonation rights manually using PowerShell.

Was this information useful?