Forum Discussion
Outlook password promt when CAS Exchange failover
Hello!
We have two Exchange 2010 CAS servers which is load balanced via F5. F5 has been configured with iApp exchange2010_Cas2012_06_08 without any changes and all working fine except outlook in case CAS failovers. If we shutdown one of our CAS we get password prompt on clients that has been connected to shutdowned CAS and it's not affected by guest OS.
Before F5 we used NLB between CAS's and we never got password prompt even if one of CAS was offline.
Because all has been built on F5 deployment guide and without any changes except we added virtual server for SMTP i assume that everything should work fine but it's not.
Could someone help us to find a way for fix this issue?
Hi scorpa, this is a known issue and there's no way to completely solve it, other than to migrate your users to Outlook Anywhere. We recommend that in general since RPC Client Access has been deprecated for Exchange 2013.
If you have Outlook clients that are left open, those clients will send keep alives that will prevent the TCP idle timeout setting from tearing down the connections. When you reboot the CAS they are connected to, or take it down for maintenance, they will be prompted for authentication.
You can drain-stop the pool member by disabing it and waiting until the TCP idle timeout period has passed (by default it's 2 hours), but your clients will still need to authenticate when they connect to the other CAS.
thanks
Mike
- mikeshimkus_111Historic F5 Account
Hi scorpa, this is a known issue and there's no way to completely solve it, other than to migrate your users to Outlook Anywhere. We recommend that in general since RPC Client Access has been deprecated for Exchange 2013.
If you have Outlook clients that are left open, those clients will send keep alives that will prevent the TCP idle timeout setting from tearing down the connections. When you reboot the CAS they are connected to, or take it down for maintenance, they will be prompted for authentication.
You can drain-stop the pool member by disabing it and waiting until the TCP idle timeout period has passed (by default it's 2 hours), but your clients will still need to authenticate when they connect to the other CAS.
thanks
Mike
- scorpa_121336NimbostratusThank you Mike for your reply! But we have deployed Outlook anywhere already and as i understood we can't use it inside our local network, can it ? And what about scheme with NLB, because with NLB there isn't any authentication prompts in case of CAS failover. What will be if we tune TCP idle timeout on server side TCP connections below Outlook dead timers?
- mikeshimkus_111Historic F5 AccountYou can absolutely use Outlook Anywhere in your local network. Another benefit of OA from an F5 perspective is that the iApp uses an EAV monitor to log into the mailbox, instead of a simple TCP monitor (which is all we have for RPC). BTW, I recommend going to downloads.f5.com and downloading the f5.microsoft_exchange_2010_2013_cas.v1.2.0.tmpl template. It includes many fixes and new features over the 06_08 version. I did some reading up on NLB, and Microsoft's documentation on NLB states: "When its client affinity parameter setting is enabled, Network Load Balancing directs all TCP connections from one client IP address to the same cluster host. This allows session state to be maintained in host memory. However, should a server or network failure occur during a client session, a new logon may be required to re-authenticate the client and re-establish session state." I'd read that to mean that you should be getting prompted when using NLB, or at least that the mechanism to prevent it is not built into NLB. But I'm not very familiar with it, either. You can change the idle timeout setting, but when the connections time out, those clients will still need to reauthenticate.
- Mike_61719Cirrus
http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=324E8B562D498923353213626E308928?externalId=KB26490&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl
?
- Olusola_Ayoade_Nimbostratus
Hi Mike,
I use f5.microsoft_exchange_2010_2013_cas.v1.4.0.tmpl template and i use firmware 11.6, i am trying to loadbalance exchange 2013, OWA is effectively loadbalanced, but outlook prompts for password and does not connect, it seems f5 is not handling the certificate properly, what could be the challenge , kindly assist, i am on site.i used the import type PKCS 12 (IIS) while importing certificate to F5 box
- mikeshimkus_111Historic F5 AccountDoes your certificate contain the correct domain names for Outlook Anywhere, EWS, and OAB? I would try taking a packet capture on both sides of the BIG-IP to see what's happening. If you are getting immediate resets during the ssl handshake, then it sounds like a cert issue. If you are seeing 401s from Exchange, that is something else.
- Olusola_Ayoade_Nimbostratus
Hi Mike, Thanks for your support, can you point me to a material that shows how to export certificate and key from CAS. Also which command will i use to confirm if my certificate contains the correct domain names for outlook anywhere, here is the error prompt i get when trying to register to outlook (There is a problem with the proxy servers security certificate, the security certificate is not a trusted certifying authority.) Thanks for the assistance.
- mikeshimkus_111Historic F5 AccountHi Olusola, you should be able to export the cert and key using the Certificate Manager MMC snap-in from your CAS. On BIG-IP, once you have imported the .pfx file, you can go to System ›› File Management : SSL Certificate List, click on the cert you imported, and look at the Subject Alternative Name field to see what names are in your cert.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com