Microsoft Exchange 2013 iApp - Can't login to OWA or ECP if more than one server is active in pool

Hi, I have seen this before. In my case, it was because I had mismatched certificates configured on my client access servers.

Confirm that all the CAS are using the same cert for IIS services, and that that cert matches the one you're choosing in the iApp configuration.

Mike

each of my CAS servers have certs from our internal CA with servername.domain.com

We are doing SSL offloading and our public cert for OWA, Autodiscover, etc is on the F5 only.

If that was the case, why would it work with only one server active in the pool? I would think it would be the same problem regardless of how many pool members are active.

In order to know that you have an existing session, the servers need to be able to decrypt the auth cookie and for that they all need the same cert. Otherwise, they will return you the logon page. It works with a single pool member because that server has the correct cert. From http://theucguy.net/exchange-server-2013-load-balancing/:

"The OWA client hands the cookie to the server with any new requests. In this case, it doesn’t matter if the new request is handled by a different CAS server, as that server is capable of decrypting the cookie with it’s private key, as all CAS servers have the same certificate.

As the authentication cookie is successfully decrypted irrespective of which CAS 2013 server it hits, the user or client is not challenged to authenticate again with an FBA page."

OK, I have done that...and the same problem persists.

I assume you have reset IIS on all of your CAS? You may want to try killing all of the connections to that pool on BIG-IP as well.

If that doesn't work, please let me know your F5 support case , so I can track it.

Case number is: C1608960

You are being more helpful than he is at the moment. IIS has been reset and I looked at bindings and made sure it shows the certificate.

More info if it helps:

Our cert on the F5, and now our servers, is a cert with the following dns names in it: outlookweb.domain.com autodiscover.domain.com outlookwebdr.domian.com

Our servers our: server1.domian.com server2.domian.com server3.domain.com server4.domain.com server5.domain.com

I did have a cert from our internal CA on each CAS server for their internal name only. IE: server1.domain.com

I did make the change you suggested and put the cert from the F5 on the CAS servers. Their virtual directories contain those names mentioned above. I followed the deployment guide, I don't see this mentioned anywhere in there. I wish it would just work.

IIRC, you can have multiple certs associated with a service now. Are the CA-issued certs still associated with IIS services in the Exchange Admin Center? If so, try deleting them completely from the list.

Does anyone connect to OWA using the internal OWA names? You may want to set the internal name to match the external name.

One thing you could try as a temporary workaround is to choose Exchange 2010 as your version in the iApp. This will apply cookie persistence to OWA requests, forcing them to go to the same pool member every time.

I did delete all the internal certs already, forgot to mention that

Out internal and external URLs are the same

Using the 2010 as the version seems to have made it work...I don't like that. What else do you suggest? Do you work internally to F5 and can help my engineer out?