Configuring Exchange Web Services impersonation on CAS proxy servers
Create a new security group that contains only the Exchange Server 2010 CAS computers that act as proxy servers.
Log on to an Exchange Server 2010 computer using an account that is assigned the "Role Management" role. By default, members of the "Organization Management" role group are assigned this role.
Using Exchange Management Shell, run the following command line:
New-ManagementRoleAssignment -Name:role assignment name -Role:ApplicationImpersonation -SecurityGroup:security group name
role assignment name can be a name of your choice.
security group name is the name of the security group you created for the proxy Exchange 2010 CAS servers.