exchangelib: Requesting the folder:PermissionSet attribute raises ErrorAccessDenied

I was wondering if there are significant changes between the way Exchangelib 1.11.4 behaves and the current version (1.12.5). I’ve simply tried to upgrade using pip, but it appears that there is something wrong when authorizing in 1.12.5.

Some config, pretty basic:

from exchangelib import DELEGATE, IMPERSONATION, Account, Credentials, ServiceAccount, \
    EWSDateTime, EWSTimeZone, Configuration, NTLM, CalendarItem, Message, \
    Mailbox, Attendee, Q, ExtendedProperty, FileAttachment, ItemAttachment, \
    HTMLBody, Build, Version
from exchangelib.protocol import BaseProtocol, NoVerifyHTTPAdapter
BaseProtocol.HTTP_ADAPTER_CLS = NoVerifyHTTPAdapter

credentials = ServiceAccount(username='ai\\user', password='pass')
config = Configuration(server='mail.xxxxx.be', credentials=credentials, auth_type=NTLM)
tz_def = EWSTimeZone.timezone('Europe/Brussels')
account = Account(primary_smtp_address=xxxxx@xxxxx.be, config=config, autodiscover=False, default_timezone=tz_def, access_type=DELEGATE)
print(account.root.tree())

Is returning an “Access denied”:

DEBUG:exchangelib.account:Added account: xxxxx@xxxxx.be
DEBUG:exchangelib.services:Getting folder Root (root)
DEBUG:exchangelib.services:Trying API version Exchange2016 for account xxxxx@xxxxx.be
DEBUG:exchangelib.protocol:Server mail.xxxxx.be: Waiting for session
DEBUG:exchangelib.protocol:Server mail.xxxxx.be: Got session 23594
DEBUG:exchangelib.util:Session 23594 thread 140058402891520: retry 0 timeout 120 POST'ing to https://mail.xxxxx.be/EWS/Exchange.asmx after 10s wait
/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py:851: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
DEBUG:urllib3.connectionpool:https://mail.xxxxx.be:443 "POST /EWS/Exchange.asmx HTTP/1.1" 200 None
DEBUG:exchangelib.util:Retry: 0
Waited: 10
Timeout: 120
Session: 23594
Thread: 140058402891520
Auth type: <requests_ntlm.requests_ntlm.HttpNtlmAuth object at 0x7f61e39ddfd0>
URL: https://mail.xxxxx.be/EWS/Exchange.asmx
HTTP adapter: <exchangelib.protocol.NoVerifyHTTPAdapter object at 0x7f61e39ddef0>
Allow redirects: False
Streaming: False
Response time: 0.017957963049411774
Status code: 200
Request headers: {'User-Agent': 'python-requests/2.22.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'Keep-Alive', 'Content-Type': 'text/xml; charset=utf-8', 'Cookie': 'X-BackEndCookie=S-1-5-21-3222743990-3588243504-3938062828-46253=u56Lnp2ejJqBnMmbx8qdx5rSypvLztLLnsrJ0sfImcjSyMzJms7HycfHyZ7OgYHNz87G0s/H0s7Jq8/IxczIxc3GgZ6W0ZaRi5qNkZ6T0YqFmJqRi9GdmoHP; exchangecookie=79b6cb68921f405096eb97685de0ec78', 'Content-Length': '1169'}
Response headers: {'Cache-Control': 'private', 'Content-Type': 'text/xml; charset=utf-8', 'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding', 'Server': 'Microsoft-IIS/10.0', 'request-id': 'aa717744-a177-4c2d-94c7-7a1104a1bf7b', 'X-CalculatedBETarget': 'vmailboxsvr3p.xxxxx.be', 'X-DiagInfo': 'VMAILBOXSVR3P', 'X-BEServer': 'VMAILBOXSVR3P', 'X-AspNet-Version': '4.0.30319', 'Set-Cookie': 'exchangecookie=79b6cb68921f405096eb97685de0ec78; path=/, X-BackEndCookie=S-1-5-21-3222743990-3588243504-3938062828-46253=u56Lnp2ejJqBnMmbx8qdx5rSypvLztLLnsrJ0sfImcjSyMzJms7HycfHyZ7OgYHNz87G0s/H0s7Jq8/IxczIxcrGgZ6W0ZaRi5qNkZ6T0YqFmJqRi9GdmoHP; expires=Fri, 16-Aug-2019 07:37:59 GMT; path=/EWS; secure; HttpOnly', 'X-Powered-By': 'ASP.NET', 'X-FEServer': 'VMAILBOXSVR4P', 'Date': 'Wed, 17 Jul 2019 07:37:58 GMT', 'Transfer-Encoding': 'chunked'}
Request data: b'<?xml version=\'1.0\' encoding=\'utf-8\'?>\n<s:Envelope xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"><s:Header><t:RequestServerVersion Version="Exchange2016"/><t:TimeZoneContext><t:TimeZoneDefinition Id="Romance Standard Time"/></t:TimeZoneContext></s:Header><s:Body><m:GetFolder><m:FolderShape><t:BaseShape>IdOnly</t:BaseShape><t:AdditionalProperties><t:FieldURI FieldURI="folder:ChildFolderCount"/><t:FieldURI FieldURI="folder:EffectiveRights"/><t:FieldURI FieldURI="folder:FolderClass"/><t:FieldURI FieldURI="folder:DisplayName"/><t:FieldURI FieldURI="folder:ParentFolderId"/><t:FieldURI FieldURI="folder:PermissionSet"/><t:FieldURI FieldURI="folder:TotalCount"/><t:FieldURI FieldURI="folder:UnreadCount"/></t:AdditionalProperties></m:FolderShape><m:FolderIds><t:DistinguishedFolderId Id="root"><t:Mailbox><t:EmailAddress>xxxxx@xxxxx.be</t:EmailAddress><t:RoutingType>SMTP</t:RoutingType><t:MailboxType>Mailbox</t:MailboxType></t:Mailbox></t:DistinguishedFolderId></m:FolderIds></m:GetFolder></s:Body></s:Envelope>'
Response data: b'<?xml version="1.0" encoding="utf-8"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Header><h:ServerVersionInfo MajorVersion="15" MinorVersion="1" MajorBuildNumber="845" MinorBuildNumber="34" Version="V2016_10_10" xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/></s:Header><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><m:GetFolderResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"><m:ResponseMessages><m:GetFolderResponseMessage ResponseClass="Error"><m:MessageText>Access is denied. Check credentials and try again., Underlying MAPI stream threw exception</m:MessageText><m:ResponseCode>ErrorAccessDenied</m:ResponseCode><m:DescriptiveLinkKey>0</m:DescriptiveLinkKey><m:Folders/></m:GetFolderResponseMessage></m:ResponseMessages></m:GetFolderResponse></s:Body></s:Envelope>'

DEBUG:exchangelib.util:Session 23594 thread 140058402891520: Useful response from https://mail.xxxxx.be/EWS/Exchange.asmx
DEBUG:exchangelib.protocol:Server mail.xxxxx.be: Releasing session 23594
ERROR:root:Access is denied. Check credentials and try again., Underlying MAPI stream threw exception

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 21 (12 by maintainers)

Commits related to this issue

Subfolder queries should compile the list of fields from the folders to be queried, not the base folder of the query. Refs #610 — committed to ecederstrand/exchangelib by ecederstrand 5 years ago

Most upvoted comments

It’s possible that the your server does not allow you to retrieve the PermissionSet value on the root folder, or possibly on any folder. I don’t know if that’s configurable in Exchange and how to configure it, if so.

I’m not sure yet how we might handle this automatically, but for now a workaround that doesn’t require you to patch source-code could be to monkey-patch the Folder class:

from exchangelib import Folder
Folder.FIELDS = [f for f in Folder.FIELDS if f.name != 'permission_set']

# Your code here

ecederstrand on Aug 14, 2019

0a8f933 should fix this. I opted to only exclude permission_set for root folders on Exchange 2016 or later, as that is the only version I see reported here.

ecederstrand on Sep 5, 2019