Symptoms
When running through K2 Blackpearl configuration we get the following warning during the Analysis portion:
Standard- Exchange Permissions
The following rights are still required for Impersonation:
-RoleBasedAccessControl
Specific role that we referencing here is the Application Impersonation Role in Exchange.
We also see the following error in the Event Viewer logs:
61012 Exception from message source K2Service@denallix.com: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.InvokeAsyncCallback(IAsyncResult result)
Diagnoses
We assigned the K2 Service account to the ApplicationImpersonation role in exchange manually via the script:
new-ManagementRoleAssignment-Role: ApplicationImpersonation -User:K2Service@denallix.com
Also confirmed that we saw this user in that role in exchange management console. Confirmed that we can navigate to the EWS URL used in our configuration wizard. We did tests with the EWS Tester tool to see if the connection between the service account and exchange was valid. It was during this testing that we realized that the configuration for exchange might have been set for Exchange Online instead of on-prem.
Resolution
After running through K2 Blackpearl Setup manager with the configuration option we changed the configuration to use Exchange on prem as intended, instead of it previously being set to use Exchange online. After completing the configuration and setting it to use exchange on prem, we no longer saw the warning in the configuration analysis and also no more errors involving 401 unauthorized with the service account in our event viewer logs.