I have a windows box with AD & Exchange 2013 on it. There are around 400 users with mailboxes. One user (ServiceAdmin) had been given impersonation rights over a group and then the rest of the users are added to the group, essentially providing scope impersonation rights to the ServiceAdmin over all the users in the group.
Now if, for some reason, the user is disabled/removed in the AD, and an attempt to send mail through impersonation is made, the impersonation request is rejected with <e:ResponseCode>ErrorImpersonateUserDenied</ResponseCode>.
Question is, where is this event logged on the exchange host?
Tried hunting on Google and MSDN. They all end up validating one configuration or other at a time. Problem is, that for a operation (as mentioned above) to work, multiple points of configuration have to be right. So I'm looking for a way to either diagnose beforehand all the users for which it will fail or a log from where all the users, for whom impersonation has failed, can be extracted.
Will appreciate any help in the matter.
EWS requests will be logged in the EWS Log on the CAS server eg https://ingogegenwarth.wordpress.com/2017/01/12/troubleshooting-exchange-with-logparser-ews-logs/
Its sounds like you already have your answer there are no shortcuts to this if something fails it could be one or many reasons hence why you need a step by step verification to find the actual fault and then resolve it (or suggest a resolution). There are no shortcuts to this and even with a step by step verification you can still come across specific customer environment differences that invalidates that.