check this out... section with this heading "Fix for 'Customer is undefined' error [New in Commerce 13.9.0]"

https://world.episerver.com/documentation/developer-guides/commerce/orders/Order-management2/

Thank you, Praful for your suggestion but it did not help to resolve the issue.

Now I'm going to compare User groups & access rights in old vs new version. 

Any more suggestion? 

I had to add this to the site initialization/global configuration to make it work, where the authenticationtype should be the same as what you use in your owin statrtup class. If you use owin that is.

config.Filters.Add(new HostAuthenticationFilter(DefaultAuthenticationTypes.ApplicationCookie));

Do you have ServiceAPI installed? ServiceAPI remove the cookie authentication for WebAPI controllers which causes that issue. It's a known issue but no workaround so far, unfortunately, except to have ServiceAPI as a separate website instead

Hi Quan - Thanks for your reply - Yes we are using Service API

Quan, we are also running into this issue. You mention a possible solution is to setup the ServiceApi as a separate website. Can you point me to some doucmentation about to how to do this?

You can setup an empty site and then install ServiceAPI to it. As long as you set the correct connection strings it should just work

@Naveed If @Jeroen's solution doesn't work for you.

You can also create an InitializationModule and add the following code in:

var handler = GlobalConfiguration.Configuration.MessageHandlers.FirstOrDefault(x => x.GetType() == typeof(PassiveAuthenticationMessageHandler));
            GlobalConfiguration.Configuration.MessageHandlers.Remove(handler);

This will open up the Order Management screen to look for authentication in the cookies in addition to the headers.

Service API uses SuppressDefaultHostAuthentication which locks down authentication to headers to protect against csrf attacks.