Forum Discussion
carter91_13591
Nimbostratus
NimbostratusMicrosoft Exchange 2013 iApp - Can't login to OWA or ECP if more than one server is active in pool
I just deployed the latest 2013 iApp for Exchange 2013. We have 5 servers, and the iApp deployment went good and quick. However, we can not log into OWA or the ECP when more than one pool member is active. You get to the login page, you type your username and password and it looks like it's logging you in for a brief moment, then kicks you back to the logon page. If I go into the OWA pool, and disabled all but one of the members, you can log in and access your mailbox or ECP just fine.
Anything you can think of to look at? I have a support case with F5, but sometimes people on here have ran into this before.
carter91_13591Just to test, I re-requested the cert using the Exchange Admin panel...installed it on all servers and the F5..same issue. So it doesn't matter where it's requested from. This is just frustrating, and my engineer isn't even this far in his troubleshooting. I asked him to call me over 45 mins ago.
- carter91_13591
Used this: openssl pkcs12 -export -out OutlookWeb.pfx -inkey outlookweb_2014-2015.key -in outlookweb_2014-2015.crt
- carter91_13591
My engineer has ignored two requests for a phone call. He is asking about NTLM authentication for Outlook Web....I mean geez, come on, OWA uses Forms Based Authentication.
Can you post the sanitized output of these two commands:
Get-ExchangeCertificate -Server | fl
Get-OWAVirtualDirectory | fl
I will compare with what I have in my lab.
- carter91_13591
[PS] C:\Windows\system32>Get-ExchangeCertificate -Server Server1 | fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {outlookweb.domain.com, autodiscover.domain.com, outlookwebdr.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=Thawte SSL CA, O="Thawte, Inc.", C=US NotAfter : 7/26/2016 7:59:59 PM NotBefore : 7/2/2014 8:00:00 PM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 78673A5B9DB7CFBED7D707C2243416BC Services : IIS Status : Valid Subject : CN=outlookweb.domain.com, OU=IT, O=MyCompany, L=SomeCity, S=SomeState, C=US Thumbprint : 38576C408C3BD90DADDBE9F91E5D30A4E7FBDDEC
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Microsoft Exchange Server Auth Certificate NotAfter : 6/4/2019 10:41:12 AM NotBefore : 6/30/2014 10:41:12 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 1287947A3004A78541EEBC2BBFDF8D96 Services : SMTP Status : Valid Subject : CN=Microsoft Exchange Server Auth Certificate Thumbprint : 7560532AA7C256D489FE55EF80A73CD6FC4B5DF0
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Server1, Server1.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Server1 NotAfter : 6/30/2019 10:40:02 AM NotBefore : 6/30/2014 10:40:02 AM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 1BBEF530CEE01FA14EC5AD318890B742 Services : IMAP, POP, SMTP Status : Valid Subject : CN=Server1 Thumbprint : C61EC2DB867020FF4DA1286127A25E51893E6587
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {WMSvc-Server1} HasPrivateKey : True IsSelfSigned : True Issuer : CN=WMSvc-Server1 NotAfter : 6/27/2024 10:10:52 AM NotBefore : 6/30/2014 10:10:52 AM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 2D0711091356248F4206F7BDCE8B8473 Services : None Status : Valid Subject : CN=WMSvc-Server1 Thumbprint : BB4AE0324E0BF897094B84287C038BE2C7A67787
- carter91_13591
[PS] C:\Windows\system32>Get-OwaVirtualDirectory -Server Server1 | fl
RunspaceId : 84554014-511f-4af3-869b-462f2e41fc6e DirectFileAccessOnPublicComputersEnabled : True DirectFileAccessOnPrivateComputersEnabled : True WebReadyDocumentViewingOnPublicComputersEnabled : True WebReadyDocumentViewingOnPrivateComputersEnabled : True ForceWebReadyDocumentViewingFirstOnPublicComputers : False ForceWebReadyDocumentViewingFirstOnPrivateComputers : False WacViewingOnPublicComputersEnabled : True WacViewingOnPrivateComputersEnabled : True ForceWacViewingFirstOnPublicComputers : False ForceWacViewingFirstOnPrivateComputers : False RemoteDocumentsActionForUnknownServers : Block ActionForUnknownFileAndMIMETypes : Allow WebReadyFileTypes : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc} WebReadyMimeTypes : {application/vnd.openxmlformats-officedocument.presentationml.pre sentation, application/vnd.openxmlformats-officedocument.wordproc essingml.document, application/vnd.openxmlformats-officedocument. spreadsheetml.sheet, application/vnd.ms-powerpoint, application/x-mspowerpoint, application/vnd.ms-excel, application/x-msexcel, application/msword, application/pdf} WebReadyDocumentViewingForAllSupportedTypes : True WebReadyDocumentViewingSupportedMimeTypes : {application/msword, application/vnd.ms-excel, application/x-msexcel, application/vnd.ms-powerpoint, application/x-mspowerpoint, application/pdf, application/vnd.open xmlformats-officedocument.wordprocessingml.document, application/ vnd.openxmlformats-officedocument.spreadsheetml.sheet, applicatio n/vnd.openxmlformats-officedocument.presentationml.presentation} WebReadyDocumentViewingSupportedFileTypes : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx} AllowedFileTypes : {.rpmsg, .xlsx, .xlsm, .xlsb, .vstx, .vstm, .vssx, .vssm, .vsdx, .vsdm, .tiff, .pptx, .pptm, .ppsx, .ppsm, .docx...} AllowedMimeTypes : {image/jpeg, image/png, image/gif, image/bmp} ForceSaveFileTypes : {.html, .swf, .spl, .htm, .dir, .dcr} ForceSaveMimeTypes : {Application/x-shockwave-flash, Application/octet-stream, Application/futuresplash, Application/x-director, text/html} BlockedFileTypes : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadget, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...} BlockedMimeTypes : {application/x-javascript, application/javascript, application/msaccess, x-internet-signup, text/javascript, application/xml, application/prg, application/hta, text/scriplet, text/xml} RemoteDocumentsAllowedServers : {} RemoteDocumentsBlockedServers : {} RemoteDocumentsInternalDomainSuffixList : {} FolderPathname : Url : {}
- carter91_13591
LogonFormat : PrincipalName ClientAuthCleanupLevel : High LogonPagePublicPrivateSelectionEnabled : False LogonPageLightSelectionEnabled : False FilterWebBeaconsAndHtmlForms : UserFilterChoice NotificationInterval : 120 DefaultTheme : UserContextTimeout : 60 ExchwebProxyDestination : VirtualDirectoryType : OwaVersion : Exchange2013 ServerName : Server1 InstantMessagingCertificateThumbprint : InstantMessagingServerName : RedirectToOptimalOWAServer : True DefaultClientLanguage : 0 LogonAndErrorLanguage : 0 UseGB18030 : False UseISO885915 : False OutboundCharset : AutoDetect GlobalAddressListEnabled : True OrganizationEnabled : True ExplicitLogonEnabled : True OWALightEnabled : True DelegateAccessEnabled : True IRMEnabled : True CalendarEnabled : True ContactsEnabled : True TasksEnabled : True JournalEnabled : True NotesEnabled : True RemindersAndNotificationsEnabled : True PremiumClientEnabled : True SpellCheckerEnabled : True SearchFoldersEnabled : True SignaturesEnabled : True ThemeSelectionEnabled : True JunkEmailEnabled : True UMIntegrationEnabled : True WSSAccessOnPublicComputersEnabled : True WSSAccessOnPrivateComputersEnabled : True ChangePasswordEnabled : True UNCAccessOnPublicComputersEnabled : True UNCAccessOnPrivateComputersEnabled : True ActiveSyncIntegrationEnabled : True AllAddressListsEnabled : True RulesEnabled : True PublicFoldersEnabled : True SMimeEnabled : True RecoverDeletedItemsEnabled : True InstantMessagingEnabled : True TextMessagingEnabled : True ForceSaveAttachmentFilteringEnabled : False SilverlightEnabled : True PlacesEnabled : False AllowCopyContactsToDeviceAddressBook : True AnonymousFeaturesEnabled : True IntegratedFeaturesEnabled : True DisplayPhotosEnabled : True SetPhotoEnabled : True PredictedActionsEnabled : False UserDiagnosticEnabled : False ReportJunkEmailEnabled : True WebPartsFrameOptionsType : SameOrigin AllowOfflineOn : AllComputers SetPhotoURL : InstantMessagingType : None Exchange2003Url : FailbackUrl : LegacyRedirectType : Silent Name : owa (Default Web Site) InternalAuthenticationMethods : {Basic, Fba} MetabasePath : IIS://Server1.domain.com/W3SVC/1/ROOT/owa BasicAuthentication : True WindowsAuthentication : False DigestAuthentication : False FormsAuthentication : True LiveIdAuthentication : False AdfsAuthentication : False OAuthAuthentication : False DefaultDomain : GzipLevel : Low WebSite : Default Web Site DisplayName : owa Path : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa ExtendedProtectionTokenChecking : None ExtendedProtectionFlags : {} ExtendedProtectionSPNList : {} AdminDisplayVersion : Version 15.0 (Build 913.22) Server : Server1 InternalUrl : https://outlookweb.domain.com/owa ExternalUrl : https://outlookweb.domain.com/owa ExternalAuthenticationMethods : {Fba} AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) DistinguishedName : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=Server1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MyCompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mycompany,DC=edu Identity : Server1\owa (Default Web Site) Guid : ae94edc4-9bce-4362-836a-02c1cc3577ac ObjectCategory : domain.com/Configuration/Schema/ms-Exch-OWA-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory} WhenChanged : 7/1/2014 8:22:23 AM WhenCreated : 6/30/2014 10:50:18 AM WhenChangedUTC : 7/1/2014 12:22:23 PM WhenCreatedUTC : 6/30/2014 2:50:18 PM OrganizationId : OriginatingServer : mydc.domain.com IsValid : True ObjectState : Changed
Everything there matches what I have. I assume that the output of the Get-ExchangeCertificate command is the same for all servers w/r/t the IIS-bound cert.
It really seems like the servers inability to decrypt the auth cookie is causing the problem, but I'm not sure why that's happening since it looks like it should be fine. Are you seeing any errors in the Exchange event logs on the CAS?
- carter91_13591
No errors of any kind on CAS. Yeah, the output is the same on all servers.
My engineer finally called me and I asked for it to be escalated up the ladder. Waiting to hear back on that. Would a fresh QKview after that cert changes on the F5 uploaded to iHealth help at all?
One way you could test my theory is to use DNS load balancing to bypass BIG-IP and see if you still have the issue. Setting up 2 A records for outlookweb.domain.com pointing to different CAS should do it. Your clients would need to be able to route to the CAS, of course.
