Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Consider the following scenario:

  • You deploy Microsoft Exchange Server 2019 in your organization.

  • You install and configure Active Directory Federation Services (AD FS) in Exchange Server 2019. This enables clients to use AD FS claims-based authentication to connect to Outlook on the web (OWA) and the Exchange admin center (EAC).

  • You install Cumulative Update 2 for Exchange Server 2019.

In this scenario, you can’t sign in to OWA and EAC, and you receive an error message that resembles the following:

Server Error in '/ecp or owa' Application.

Unable to cast object of type 'Microsoft.Exchange.Security.Authentication.AdfsIdentity' to type 'System.Security.Principal.WindowsIdentity'.

Additionally, Event ID 1003 is logged in the Event Viewer and shows the same exception error:

An internal server error occurred. The unhandled exception was: System.InvalidCastException:

Unable to cast object of type 'Microsoft.Exchange.Security.Authentication.AdfsIdentity' to type 'System.Security.Principal.WindowsIdentity'.


To fix this issue, install the Cumulative Update 3 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019.


To work around this issue, use either of the following methods.

Method 1

Configure one of the following versions of Exchange Server to provide Front-End client access in your organization:

  • Exchange Server 2019 CU1 or RTM

  • Exchange Server 2016 CU11 or a later version

  • Exchange Server 2013 CU21 or a later version

For example, the issue occurs if you have a server that is running Exchange Server 2019 CU2 and has AD FS configured to process client requests, such as If this occurs, make appropriate changes (to either the host records in DNS or your Load Balancer) to make sure that client requests that are received on are sent to an earlier version of Exchange Server.

If there are no earlier-version servers available, use method 2.

Method 2

Disable the AD FS authentication method for OWA and ECP, and enable any other authentication method. To do this, run the following PowerShell cmdlet:

Set-OwaVirtualDirectory -Identity "Server2019CU2\ecp (Default Web site)" - AdfsAuthentication:$false -FormsAuthentication $true

This example command disables AD FS authentication and enables forms authentication on the default OWA virtual directory on the server that is named "Server2019CU2."

Set-EcpVirtualDirectory -Identity "Server2019CU2\owa (Default Web site)" - AdfsAuthentication:$false -FormsAuthentication $true

This example command disables AD FS authentication and enables forms authentication on the default ECP virtual directory on the server that is named "Server2019CU2."

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!