Can't sign in to OWA or EAC after you install Exchange Server 2019 CU2 with AD FS

Gælder for: Exchange Server 2019

Symptoms


Consider the following scenario:

  • You deploy Microsoft Exchange Server 2019 in your organization.
  • You install and configure Active Directory Federation Services (AD FS) in Exchange Server 2019. This enables clients to use AD FS claims-based authentication to connect to Outlook on the web (OWA) and the Exchange admin center (EAC).
  • You install Cumulative Update 2 for Exchange Server 2019.

In this scenario, you can’t sign in to OWA and EAC, and you receive an error message that resembles the following:

Server Error in '/ecp or owa' Application.

Unable to cast object of type 'Microsoft.Exchange.Security.Authentication.AdfsIdentity' to type 'System.Security.Principal.WindowsIdentity'.

Additionally, Event ID 1003 is logged in the Event Viewer and shows the same exception error:

An internal server error occurred. The unhandled exception was: System.InvalidCastException:

Unable to cast object of type 'Microsoft.Exchange.Security.Authentication.AdfsIdentity' to type 'System.Security.Principal.WindowsIdentity'.

Status


Microsoft is aware of this issue and is working to fix it in a future cumulative update.

Workaround


To work around this issue, use either of the following methods.

Method 1

Configure one of the following versions of Exchange Server to provide Front-End client access in your organization:

  • Exchange Server 2019 CU1 or RTM
  • Exchange Server 2016 CU11 or a later version
  • Exchange Server 2013 CU21 or a later version

For example, the issue occurs if you have a server that is running Exchange Server 2019 CU2 and has AD FS configured to process client requests, such as https://mail.contoso.com/owa. If this occurs, make appropriate changes (to either the host records in DNS or your Load Balancer) to make sure that client requests that are received on mail.contoso.com are sent to an earlier version of Exchange Server.

If there are no earlier-version servers available, use method 2.

Method 2

Disable the AD FS authentication method for OWA and ECP, and enable any other authentication method. To do this, run the following PowerShell cmdlet:

Set-OwaVirtualDirectory -Identity "Server2019CU2\ecp (Default Web site)" - AdfsAuthentication:$false -FormsAuthentication $true

This example command disables AD FS authentication and enables forms authentication on the default OWA virtual directory on the server that is named "Server2019CU2."

Set-EcpVirtualDirectory -Identity "Server2019CU2\owa (Default Web site)" - AdfsAuthentication:$false -FormsAuthentication $true

This example command disables AD FS authentication and enables forms authentication on the default ECP virtual directory on the server that is named "Server2019CU2."