To allow Retain to archive from Exchange 2013 there needs to be a user with ApplicationImpersonation rights in Exchange 2013 that allows it to do so. The Retain user is also known as the Impersonation user, or the Global Catalog User.
Log into the Exchange Admin Center https://[your Exchange server address]/ecp
You will need to create a new mailbox user:
Then fill in the appropriate fields:
Next you will need to add the Application Impersonation rights:
Go to Permissions / Admin Roles / Plus (new)
Give it an easy to remember name and description:
Now to add the Roles and Members:
For the Role it needs to be ApplicationImpersonation.
Note: ApplicationImpersonation and Administrator rights are mutually exclusive, as a security measure implimented by Microsoft.
Add the Retain User as a Member:
Finally, you must enable Basic Authentication to the system. This has to deploy to all the CAS servers and the easiest way to do that is to do it within the EAC. This can be found under Servers/ Virtual Directories. This needs to be enabled for Autodiscover and EWS.
Click on the Pencil to edit and select Authentication and make sure Basic Authentication is checked.
See Determining if Basic Authentication Is Enabled on Your Network to double check that Basic Authentication was successfully enabled across all CAS servers.
This article was originally published in the GWAVA knowledgebase as article ID 2450.