I just deployed the latest 2013 iApp for Exchange 2013. We have 5 servers, and the iApp deployment went good and quick. However, we can not log into OWA or the ECP when more than one pool member is active. You get to the login page, you type your username and password and it looks like it's logging you in for a brief moment, then kicks you back to the logon page. If I go into the OWA pool, and disabled all but one of the members, you can log in and access your mailbox or ECP just fine. Anything you can think of to look at? I have a support case with F5, but sometimes people on here have ran into this before.

Hi, I have seen this before. In my case, it was because I had mismatched certificates configured on my client access servers. Confirm that all the CAS are using the same cert for IIS services, and that that cert matches the one you're choosing in the iApp configuration. Mike

each of my CAS servers have certs from our internal CA with servername.domain.com We are doing SSL offloading and our public cert for OWA, Autodiscover, etc is on the F5 only. If that was the case, why would it work with only one server active in the pool? I would think it would be the same problem regardless of how many pool members are active.

In order to know that you have an existing session, the servers need to be able to decrypt the auth cookie and for that they all need the same cert. Otherwise, they will return you the logon page. It works with a single pool member because that server has the correct cert. From http://theucguy.net/exchange-server-2013-load-balancing/: "The OWA client hands the cookie to the server with any new requests. In this case, it doesn’t matter if the new request is handled by a different CAS server, as that server is capable of decrypting the cookie with it’s private key, as all CAS servers have the same certificate. As the authentication cookie is successfully decrypted irrespective of which CAS 2013 server it hits, the user or client is not challenged to authenticate again with an FBA page."

OK, I have done that...and the same problem persists.

I assume you have reset IIS on all of your CAS? You may want to try killing all of the connections to that pool on BIG-IP as well. If that doesn't work, please let me know your F5 support case , so I can track it.

Microsoft Exchange 2013 iApp - Can't login to OWA or ECP if more than one server is active in pool

carter91_13591
Nimbostratus
Jul 03, 2014
We lose the EAC restriction based on IP address in the 2010 template among other things. Would like to get this working with 2013 option.
mikeshimkus_111
Historic F5 Account
Jul 03, 2014
Every time I've run into this problem, it's been the certificate issue. I recommend that you consider opening a support case with Microsoft as well, since they might be able to spot something that I'm missing.

The F5 support engineer will be able escalate the case if necessary.

Can you tell me which version of Exchange 2013 you are running? Should be able to get that from the servers list in the EAC.
carter91_13591
Nimbostratus
Jul 03, 2014
Exchange 2013 SP1 with CU5 applied

Do our internal server names have to be on the certificate as well?
mikeshimkus_111
Historic F5 Account
Jul 03, 2014
No, the internal server names are not required, only the names that clients will use to connect.
mikeshimkus_111
Historic F5 Account
Jul 03, 2014
The CAS servers also have the private key, correct?
carter91_13591
Nimbostratus
Jul 03, 2014
Yes they do, it accepted everything when I imported.

I switched everything to our Wildcard cert on both the F5 and the servers, and no change in behavior.

I know both these certs are good. Our 2010 environment is using the Outlookweb cert currently, and we have multiple servers using the wildcard. So I know the cert itself is good, and they should now match like you said they needed to.
carter91_13591
Nimbostratus
Jul 03, 2014
Both our wildcard and the exchange certs we used had CSR's generated from the F5, the submitted to Thawte, then the issued certs from them were installed on F5. To get them on the servers, I exported the .crt and .key files and used OpenSSL to combine them to install on Exchange servers. That would be ok right?
mikeshimkus_111
Historic F5 Account
Jul 03, 2014
That seems OK to me, however we do all our testing with self-signed certs so I can't tell you for sure that there's not a problem or best practice with that process. Can you grab the cert and key in .pfx format from Thawte, then import that onto both BIG-IP and your Exchange servers?
carter91_13591
Nimbostratus
Jul 03, 2014
Thawte only has the cert...the key is stored on the F5, or requesting server.
mikeshimkus_111
Historic F5 Account
Jul 03, 2014
Duh, that's why it's a private key I guess. :-)

What openssl commands did you use to combine them?

Forum Discussion

Microsoft Exchange 2013 iApp - Can't login to OWA or ECP if more than one server is active in pool

Recent Discussions

Management IP F5 cant be accessed

ASD

Big-IP VE edition for MacBook M4 Chip

301 redirect and waf policy log problem

Background Tasks

Related Content

Exchange iapp for multiple Exchange servers (different customers)

APM authentication for Exchange 2010

Exchange 2013 iApp Confguration for MobileIron

What metrics information are exchanged by the DNS Sync Groups?

Migrate Exchange 2003 to 2010 with APM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS