NO AUTHENTICATE failed on Exchange 2007 with impersonation, only for some users

[Mer0me]

We are leaving an old Exchange 2007 server for a brand new postfix/dovecot one. I would like to use impersonation on both sides to prepare the migration.

I found a working syntax for a lots of users, despite of character encoding issue in the password, using a PHP script and utf8_decode function (if someone is interested by this part, call me !), the working syntax is :

imapsync --host1 10.30.50.5 --user1 formation-4 --authuser1 adminexch --password1 MASKED --host2 localhost --user2 formation-4+dovecotmaster --password2 MASKED --tls1 --nosslcheck --sslargs1 SSL_version=TLSv1 --delete2 --exclude ^Calendar$ --exclude ^Calendrier$ --exclude ^Contacts$ --exclude ^Flux RSS$ --exclude ^Journal$ --exclude ^Junk E-Mail$ --exclude ^Notes$ --exclude Probl* --exclude ^Tasks$ --exclude ^Tâches$ --exclude ^T&AOI-che$ --exclude ^Contacts sugg* --automap --f1f2 &AMk-l&AOk-ments supprim&AOk-s=Corbeille

Host1: 10.30.50.5 says it has CAPABILITY for AUTHENTICATE PLAIN
Host1: success login on [10.30.50.5] with user [formation-4] auth [PLAIN]

It works like a charm with this user and many others. BUT !

For some users (most recently created in active directory ?), this very same command does not work at all, and I get the famous NO AUTHENTICATE :

Host1: Socket successfuly converted to SSL
Host1: 10.30.50.5 says it has CAPABILITY for AUTHENTICATE PLAIN
Host1 info: authmech [PLAIN] user [bob] authuser [adminexch] IsUnconnected []
Host1 failure: Error login on [10.30.50.5] with user [bob] auth [PLAIN]: 4 **NO AUTHENTICATE failed.**
Exiting with return value 16 (EXIT_AUTHENTICATION_FAILURE) 1/50 nb_errors/max_errors

I've double checked on the Exchange and Active Directory sides, all the properties are exactly the same for the working user "formation-4" and the non-workin user "bob". Impersonation rights for adminexch is set on the server scope (there is only one server, having all exchange roles), full access everywhere for adminexch.

Note that we also have troubles with Outlook Web Access for these most recent users. They can't connect to OWA. But another IMAP client is able to connect them with no issue. Not sure if it's related to the failing impersonation.
Edit : I've found at least one account which is working with OWA and not working with impersonation. I suppose this information is not relevant.

I've tried all the syntaxes proposed in the exchange faq (adminexch\domain\user and variants...) with no luck. I think the problem is not here, as I can sync many accounts with the syntax provided earlier.

If you have any idea, I'm stuck her since few days now...

[Mer0me]

I forgot I've already posted this issue here : #383.
Sorry, but it's more detailed here.

[gilleslamiral]

No real clue since I don't use Exchange.
Can you explicitly add permissions to the admin for the new buggy users?

[Mer0me]

All permissions have been set, in many different ways (Powershell, graphic interface, at organization level, database level, personal level...) Nothing change.

--debugimap1 doesn't give more information.

[xatrix78]

Hi, I have exactly the same problem. Did you solve this issue?

[Mer0me]

No, I've finally used a form to get and store securely user's password during the migration process. Impersonation was used on the dovecot side, but real user/password on the Exchange side.

[xatrix78]

OK, thats for me not possible. I have 4300 Accounts to migrate. @gilleslamiral do you need some infos for helping us?

[gilleslamiral]

I don't know Exchange but I know some users could do Admin authentication for the whole lineage Exchange 2003/2007/2010/2013/2016
There are several Q/A about it at https://imapsync.lamiral.info/FAQ.d/FAQ.Exchange.txt

Q. From XXX to Exchange 2010 or 2013, the flag Flagged does 
   not seem to be well synced. What can I do?

Q. How to migrate from or to Exchange 2007/2010/2013 with an
   admin/authuser account?

Q. How to migrate from or to Exchange 2016 with an admin/authuser account?

Q. How to migrate from or to Exchange 2003 with an admin/authuser account?

I just reported what users told me, what worked for them.
Read all of them, maybe it will ring a bell.
And try...