Forum Discussion

carter91_13591's avatar
carter91_13591
Icon for Nimbostratus rankNimbostratus
Jul 03, 2014

Microsoft Exchange 2013 iApp - Can't login to OWA or ECP if more than one server is active in pool

I just deployed the latest 2013 iApp for Exchange 2013. We have 5 servers, and the iApp deployment went good and quick. However, we can not log into OWA or the ECP when more than one pool member is...
application delivery
devops
iApps
LTM
microsoft
mikeshimkus_111's avatar
mikeshimkus_111
Historic F5 Account
Jul 03, 2014

In order to know that you have an existing session, the servers need to be able to decrypt the auth cookie and for that they all need the same cert. Otherwise, they will return you the logon page. It works with a single pool member because that server has the correct cert. From http://theucguy.net/exchange-server-2013-load-balancing/:

"The OWA client hands the cookie to the server with any new requests. In this case, it doesn’t matter if the new request is handled by a different CAS server, as that server is capable of decrypting the cookie with it’s private key, as all CAS servers have the same certificate.

As the authentication cookie is successfully decrypted irrespective of which CAS 2013 server it hits, the user or client is not challenged to authenticate again with an FBA page."