Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Can't sign in to OWA or EAC after you install Exchange Server 2019 CU2 with AD FS


View products that this article applies to.

Symptoms

Consider the following scenario:

  • You deploy Microsoft Exchange Server 2019 in your organization.
  • You install and configure Active Directory Federation Services (AD FS) in Exchange Server 2019. This enables clients to use AD FS claims-based authentication to connect to Outlook on the web (OWA) and the Exchange admin center (EAC).
  • You install Cumulative Update 2 for Exchange Server 2019.

In this scenario, you can’t sign in to OWA and EAC, and you receive an error message that resembles the following:

Server Error in '/ecp or owa' Application.

Unable to cast object of type 'Microsoft.Exchange.Security.Authentication.AdfsIdentity' to type 'System.Security.Principal.WindowsIdentity'.

Additionally, Event ID 1003 is logged in the Event Viewer and shows the same exception error:

An internal server error occurred. The unhandled exception was: System.InvalidCastException:

Unable to cast object of type 'Microsoft.Exchange.Security.Authentication.AdfsIdentity' to type 'System.Security.Principal.WindowsIdentity'.

↑ Back to the top


Resolution

To fix this issue, install the Cumulative Update 3 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019.

↑ Back to the top


Workaround

To work around this issue, use either of the following methods.

Method 1

Configure one of the following versions of Exchange Server to provide Front-End client access in your organization:

  • Exchange Server 2019 CU1 or RTM
  • Exchange Server 2016 CU11 or a later version
  • Exchange Server 2013 CU21 or a later version

For example, the issue occurs if you have a server that is running Exchange Server 2019 CU2 and has AD FS configured to process client requests, such as https://mail.contoso.com/owa. If this occurs, make appropriate changes (to either the host records in DNS or your Load Balancer) to make sure that client requests that are received on mail.contoso.com are sent to an earlier version of Exchange Server.

If there are no earlier-version servers available, use method 2.

Method 2

Disable the AD FS authentication method for OWA and ECP, and enable any other authentication method. To do this, run the following PowerShell cmdlet:

Set-OwaVirtualDirectory -Identity "Server2019CU2\ecp (Default Web site)" - AdfsAuthentication:$false -FormsAuthentication $true

This example command disables AD FS authentication and enables forms authentication on the default OWA virtual directory on the server that is named "Server2019CU2."

Set-EcpVirtualDirectory -Identity "Server2019CU2\owa (Default Web site)" - AdfsAuthentication:$false -FormsAuthentication $true

This example command disables AD FS authentication and enables forms authentication on the default ECP virtual directory on the server that is named "Server2019CU2."

↑ Back to the top


Keywords: kbSupportTopic, kbContentAuto, Setup issues

↑ Back to the top

Article Info
Article ID : 4513500
Revision : 12
Created on : 7/30/2020
Published on : 7/30/2020
Exists online : False
Views : 266