This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 11%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYZ%3C/text%3E%3C/svg%3E)
Hi there!
We have 2 forests (2-way trust), one forest has Exchange 2019 (CU11) and the other Exchange 2019 (CU10).
FIM GALSync is syncing Address Books between organization. So we have cross-forest contacts created with the attribute set required for cross-forest sharing ability.
FIM has been setup a while ago when both Exchange orgs were on 2013 version, and all the cross-forest contacts have msExchVersion attribute value set to '88218628259840', which refers to Exchange 2013.
When I try to add cross-forest permissions with msExchVersion=88218628259840 I got an exception:
Add-MailboxPermission domain1\john.smith -user domain2\michael.brown -AccessRights fullaccess -AutoMapping:$False -InheritanceType all
WARNING: An unexpected error has occurred and a Watson dump is being generated: Unable to cast object of type 'Microsoft.Exchange.Data.Directory.Recipient.ADContact' to type
'Microsoft.Exchange.Data.Directory.Recipient.IADSecurityPrincipal'.
Unable to cast object of type 'Microsoft.Exchange.Data.Directory.Recipient.ADContact' to type 'Microsoft.Exchange.Data.Directory.Recipient.IADSecurityPrincipal'.
+ CategoryInfo : NotSpecified: (:) [Add-MailboxPermission], InvalidCastException
+ FullyQualifiedErrorId : System.InvalidCastException,Microsoft.Exchange.Management.RecipientTasks.AddMailboxPermission
Although, I can add cross-forest permissions to the calendar:
Add-MailboxfolderPermission "******@domain1.com:\Calendar" -user ******@domain2.com -AccessRights PublishingEditor
FolderName User AccessRights
---------- ---- ------------
Then I set msExchVersion=1125899906842624 to the cross-forest contact, which is actually 2016, but I'm not able to find any reference to 2019.
Now I'm able to successfully add cross-forest permissions:
Add-MailboxPermission domain1\john.smith -user domain2\michael.brown -AccessRights fullaccess -AutoMapping:$False -InheritanceType all
Identity User AccessRights IsInherited Deny
-------- ---- ------------ ----------- ----
domain1.local\jo... domain2\michael.b... {FullAccess} False False
At the same time I got 'Add-MailboxfolderPermission' broken:
Add-MailboxfolderPermission "******@domain1.com:\Calendar" -user ******@domain2.com -AccessRights PublishingEditor
The user "******@domain2.com" is either not valid SMTP address, or there is no matching information.
+ CategoryInfo : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidExternalUserIdException
+ FullyQualifiedErrorId : [Server=ServerName,RequestId=29d1bcf9-52f8-4bf9-90a7-570a392490c7,TimeStamp=22.11.2021 10:16:00] [FailureCategory=Cmdlet-InvalidExternalUse
rIdException] 78747CAA,Microsoft.Exchange.Management.StoreTasks.AddMailboxFolderPermission
I have never managed to get these things work together. We have not had any issues with sharing on Exchange 2013.
We have no option to open a case in MS Support, so any input would be appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi @Yaroslav Z
I tested in my lab (two Exchange 2016 servers cross-forest, which don't have Exchange 2013 servers before).
Instead of using FIM,I manually created cross-forest contacts according to this link: Exchange Server 2010 Cross Forest Delegation
The msExchVersion value is 88218628259840 and I was able to run the Add-MailboxPermission command to assign perssmission.
So I suppose this value may not be the cause in this case.
In EAC on Exchange in domain1:
assign permission on Exchange in domain2:
However, the Add-MailboxfolderPermission command returns the same error message (The user is either not valid SMTP address, or there is no matching information.), I suppose it does not work for cross-forest mail contacts and you may need to specify a mail user in the local forest.
Could you please try to change contact's msExchVersion value to 1125899906842624 and then try both
Add-MailboxFolderPermission and Add-MailboxPermission
Thanks.
Please check the following screenshots.
Cross-Forest contact ******@domain2.com msExchVersion: 1125899906842624
Add-MailboxPermission:
Add-MailboxFolderPermission:
Could you please wait for 15 minutes and try again?
Hi,
I tested it again and the result is same.
Not sure if it has something to do with the version of Exchange server since I am using Exchange 2016.
Could you please paste the output of:
Get-adobject "DN of contact" -Properties * | fl msexch
Thanks.
Sure.
Below is the result:
Hi @Yaroslav Z
I am writing here to confirm with you how thing going now?
Please let us know if you would like further assistance.
Hi
I still facing the issue.
Cannot manage to make Add-MailboxFolderPermission and Add-MailboxPermission working together.
Thanks for your update.
Would it actually work after the Add-MailboxFolderPermission and Add-MailboxPermission command is successfully run?
For example, if you successfully run Add-MailboxFolderPermission, can you add and access the shared folder in Outlook?
Hi @Kael Yao-MSFT , sorry for the late response.
Would it actually work after the Add-MailboxFolderPermission and Add-MailboxPermission command is successfully run?
For example, if you successfully run Add-MailboxFolderPermission, can you add and access the shared folder in Outlook?
No, it's not working in Outlook with the cross-forest contacts in Exchange 2019 environment. I guess something has changed.
i can run successfully the command:
Add-MailboxPermission domain1\john.smith -user domain2\michael.brown -AccessRights fullaccess -AutoMapping:$False -InheritanceType all
Nevertheless, I'm not able to open mailbox 'john.smith' in michael.brown's Outlook. I use fiddler to check what's going on under the hood, Outlook goes to autodiscover.domain1.com and gets HTTP 500 from the web-server.
After many tries, I have managed to get cross-forest delegation working.
Instead of creating a cross-forest contact, I created a mailuser 'john.smith' in the domain2.com, and fill in the attibutes:
After that, I was able to open mailbox 'john.smith' in michael.brown's Outlook. Fiddler showes that Outlook goes to autodiscover.domain1.com and gets HTTP 200 from the web-server, and then goes to mail.domain.com/mapi and also gets HTTP 200.
See next message -->
Need to mention that I haven't managed to get add-mailboxfolderpermission working with mail user, so I have only FullAccess feature.
It's interesting that a mailuser has default msExchVersion value = 44220983382016, and I didn't change it.
Considering the above, I have 2 questions:
Thanks.