The server to which the application is connected cannot impersonate the requested user due to insufficient permission.

PROBLEM:  When running The Transporter for either Lotus Notes or IMAP migrations you may encounter the following error: 

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:01:00

email@address.com
Failed

Error:
Migration does not happen for the user (email@address.com) due to some errors. All the mailbox items belonging to this user will be ignored.

System.Web.Services.Protocols.SoapException: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
   at Microsoft.Exchange.Services.RequestSoapHeaderServiceExtension.ProcessSoapHeaders(SoapMessage message, Object responsibleObject)
   at Microsoft.Exchange.Services.RequestSoapHeaderServiceExtension.AfterDeserializeRequest(SoapMessage message)
   at Microsoft.Exchange.Services.ServiceExtensionManager.DoAfterDeserializeRequest(SoapMessage message)
   at Microsoft.Exchange.Services.ServiceExtensionManager.<>c__DisplayClass1.<ProcessMessage>b__0()
   at Microsoft.Exchange.Diagnostics.ExWatson.<>c__DisplayClass8.<SendReportOnUnhandledException>b__4()
   at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
   at Microsoft.Exchange.Diagnostics.ExWatson.SendReportOnUnhandledException(MethodDelegate methodDelegate, IsExceptionInteresting exceptionInteresting, Boolean terminating)
   at Microsoft.Exchange.Diagnostics.ExWatson.SendReportOnUnhandledException(MethodDelegate methodDelegate, IsExceptionInteresting exceptionInteresting)
   at Microsoft.Exchange.Services.Core.ServiceDiagnostics.TraceErrorOnUnhandledException(MethodDelegate methodDelegate)
   at Microsoft.Exchange.Services.ServiceExtensionManager.ProcessMessage(SoapMessage message)
   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)
   at System.Web.Services.Protocols.SoapServerProtocol.CreateServerInstance()
   at System.Web.Services.Protocols.WebServiceHandler.Invoke()
   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

Warning:
Impersonation failed for the user (email@address.com) Error: (ErrorImpersonationDeniedThe server to which the application is connected cannot impersonate the requested user due to insufficient permission.).

RESOLUTION:

This error lets you know that you lack permissions to impersonate the user. The Active Directory user used to perform the migration must have the permission to impersonate the users to inject mail into their mailboxes.

This permission can be set using an Exchange Management Shell command:

This adds the permission to one CAS (Client Access Server):
Add-ADPermissions -Identity 'DN_of_ClientAccessServer' -User 'domain\username' -ExtendedRights ms-Exch-EPI-Impersonation

This adds the permission to all CAS servers:
foreach ($exchangeServer in Get-ExchangeServer)
{
if ($exchangeServer.ServerRole -match 'ClientAccess')
{
Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'domain\user' -ExtendedRights ms-Exch-EPI-Impersonation
}

}
   
Where domain\user is the user performing the migration.