Forum Discussion
Vsevolod_Petrov
Cirrostratus
CirrostratusExchange 2013 session affinity. Once again.
Hello!
There are two CAS servers and BIG-IP 11.5.1 HF5 on the front of them.
I'm using an iApp for MS Exchange 2010 and 2013 version 1.4.0 (LTM only, No APM).
I've already read the deployment guid...
Vsevolod_PetrovCirrostratus
CirrostratusWhile fiddlering those requests and responses I've found the following:
For "POST https://mail.example.com/owa/auth.owa HTTP/1.1" (with username, password and so on)
I receive "HTTP/1.1 302 Found" that redirects me to https://mail.example.com/owa/ (with X-FEServer: CAS1)
But instead of /owa/ and useful content I get "HTTP/1.1 302 Found" to https://mail.example.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.example.com%2fowa%2f&reason=0 (with X-FEServer: CAS2)
So, I've got responses from different CAS servers.
Don't know why...
- Assuming you're using the same cert for IIS services on both CAS, which you say you are, I'm not sure what could be going on here. It's as if the servers don't know that they are part of the same Exchange deployment. This post explains why persistence is not required: http://theucguy.net/exchange-server-2013-load-balancing/ "The user connection is authenticated by any one of the 2013 CAS servers. The CAS issues an authentication token (cookie) with session keys and other info and the cookie gets encrypted using the public key of the SAN cert on the CAS server. The OWA client hands the cookie to the server with any new requests. In this case, it doesn’t matter if the new request is handled by a different CAS server, as that server is capable of decrypting the cookie with it’s private key, as all CAS servers have the same certificate. As the authentication cookie is successfully decrypted irrespective of which CAS 2013 server it hits, the user or client is not challenged to authenticate again with an FBA page." Your CAS both have an identical private key that corresponds to the cert you're using for IIS services, correct?
