Exchange 2019 cross-forest permission issue, msExchVersion strange behaviour.

Question

question

YaroslavZ-1759 asked Nov 25, '21 YaroslavZ-1759 commented Dec 18, '21

Exchange 2019 cross-forest permission issue, msExchVersion strange behaviour.

Hi there!

We have 2 forests (2-way trust), one forest has Exchange 2019 (CU11) and the other Exchange 2019 (CU10).

FIM GALSync is syncing Address Books between organization. So we have cross-forest contacts created with the attribute set required for cross-forest sharing ability.

FIM has been setup a while ago when both Exchange orgs were on 2013 version, and all the cross-forest contacts have msExchVersion attribute value set to '88218628259840', which refers to Exchange 2013.

When I try to add cross-forest permissions with msExchVersion=88218628259840 I got an exception:

 Add-MailboxPermission domain1\john.smith -user domain2\michael.brown -AccessRights fullaccess -AutoMapping:$False -InheritanceType all
    
 WARNING: An unexpected error has occurred and a Watson dump is being generated: Unable to cast object of type 'Microsoft.Exchange.Data.Directory.Recipient.ADContact' to type
  'Microsoft.Exchange.Data.Directory.Recipient.IADSecurityPrincipal'.
 Unable to cast object of type 'Microsoft.Exchange.Data.Directory.Recipient.ADContact' to type 'Microsoft.Exchange.Data.Directory.Recipient.IADSecurityPrincipal'.
     + CategoryInfo          : NotSpecified: (:) [Add-MailboxPermission], InvalidCastException
     + FullyQualifiedErrorId : System.InvalidCastException,Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission

Although, I can add cross-forest permissions to the calendar:

 Add-MailboxfolderPermission "john.smith@domain1.com:\Calendar" -user michael.brown@domain2.com -AccessRights PublishingEditor
 FolderName           User                 AccessRights
 ----------           ----                 ------------
 Calendar             michael.brown        {PublishingEditor}

==================================================================================

Then I set msExchVersion=1125899906842624 to the cross-forest contact, which is actually 2016, but I'm not able to find any reference to 2019.

Now I'm able to successfully add cross-forest permissions:

 Add-MailboxPermission domain1\john.smith -user domain2\michael.brown -AccessRights fullaccess -AutoMapping:$False -InheritanceType all
    
 Identity             User                 AccessRights      IsInherited Deny
 --------             ----                 ------------                                                                                                      ----------- ----
 domain1.local\jo...  domain2\michael.b... {FullAccess}      False       False

At the same time I got 'Add-MailboxfolderPermission' broken:

 Add-MailboxfolderPermission "john.smith@domain1.com:\Calendar" -user michael.brown@domain2.com -AccessRights PublishingEditor
    
 The user "michael.brown@domain2.com" is either not valid SMTP address, or there is no matching information.
     + CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
     + FullyQualifiedErrorId : [Server=ServerName,RequestId=29d1bcf9-52f8-4bf9-90a7-570a392490c7,TimeStamp=22.11.2021 10:16:00] [FailureCategory=Cmdlet-InvalidExternalUse
    rIdException] 78747CAA,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission

I have never managed to get these things work together. We have not had any issues with sharing on Exchange 2013.

We have no option to open a case in MS Support, so any input would be appreciated.

office-exchange-server-administration office-exchange-server-itpro

· 12

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KaelYao-MSFT · Nov 26, 2021 at 09:21 AM

Hi @YaroslavZ-1759

I tested in my lab (two Exchange 2016 servers cross-forest, which don't have Exchange 2013 servers before).
Instead of using FIM,I manually created cross-forest contacts according to this link: Exchange Server 2010 Cross Forest Delegation

The msExchVersion value is 88218628259840 and I was able to run the Add-MailboxPermission command to assign perssmission.
So I suppose this value may not be the cause in this case.

In EAC on Exchange in domain1:

assign permission on Exchange in domain2:

However, the Add-MailboxfolderPermission command returns the same error message (The user is either not valid SMTP address, or there is no matching information.), I suppose it does not work for cross-forest mail contacts and you may need to specify a mail user in the local forest.

0 ·

62.png (85.5 KiB)

63.png (5.0 KiB)

65.png (12.4 KiB)

YaroslavZ-1759 KaelYao-MSFT · Nov 26, 2021 at 09:52 AM

Could you please try to change contact's msExchVersion value to 1125899906842624 and then try both
Add-MailboxFolderPermission and Add-MailboxPermission

Thanks.

0 ·

KaelYao-MSFT YaroslavZ-1759 · Nov 29, 2021 at 06:26 AM

Please check the following screenshots.

Cross-Forest contact user01@domain2.com msExchVersion: 1125899906842624

Add-MailboxPermission:

Add-MailboxFolderPermission:

0 ·

66.png (108.3 KiB)

67.png (4.9 KiB)

68.png (12.0 KiB)

YaroslavZ-1759 KaelYao-MSFT · Nov 29, 2021 at 07:45 AM

Could you please wait for 15 minutes and try again?

0 ·

KaelYao-MSFT YaroslavZ-1759 · Nov 29, 2021 at 08:43 AM

Hi,
I tested it again and the result is same.
Not sure if it has something to do with the version of Exchange server since I am using Exchange 2016.

0 ·

YaroslavZ-1759 KaelYao-MSFT · Nov 29, 2021 at 08:47 AM

Could you please paste the output of:

Get-adobject "DN of contact" -Properties | fl msexch*

Thanks.

0 ·

KaelYao-MSFT YaroslavZ-1759 · Nov 29, 2021 at 09:04 AM

Sure.
Below is the result:

0 ·

69.png (27.0 KiB)

KaelYao-MSFT YaroslavZ-1759 · Dec 02, 2021 at 09:08 AM

Hi @YaroslavZ-1759

I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.

0 ·

Show more comments

question