Solved

Issues Logging Off in Outlook Web Access on Firefox & Google Chrome

Posted on 2009-07-14
14
1,438 Views
Last Modified: 2012-05-07
I have an Windows Small Business Server 2003 with Exchange 2003 (6.5) SP2 and when accessing Outlook Web Access from Internet Explorer the log off feature works fine. But when I access it from Google Chrome or Firefox and click the log off button then go back to the access page it is already logged in with the same user. I assume its just an incompatibility between Exchange and these other web browsers. But is there a patch to fix this? I don't want my users to be logged in still if they use a public computer.

Thanks!
Dan
0
Comment
Question by:filtrationproducts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 2
14 Comments
 
LVL 11

Expert Comment

by:gikkel
ID: 24850997
That doesnt seem normal...I tried to recreate from Firefox, Chrome, and Safari.  The only difference with those browsers is that when you click back, the user name remains.  The password shouldn't be saved and you definitely shouldn't be logged in.  Are you sure the account remains active?
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 24851481
Yes, If i log out I get the one window that tells you to click the close button and exit your browser to complete the log off. But when you click the Close button nothing happens in Firefox and Chrome. When in IE it will prompts you to close the browser. But even if i do not do that and go back to the domain.com/exchange page to log in (when in IE) It still re prompts me for a user name and password. In Chrome and Firefox it just goes right back into the Inbox like you never logged off.

Does this make sense?
0
 
LVL 11

Expert Comment

by:gikkel
ID: 24851586
I really don't think that is normal...when you press logoff, it should just logoff and return to the exchange login page.  Is your site setup to require SSL? (https://)   Is your server up to date?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:filtrationproducts
ID: 24851598
The site is not setup for SSL

The server is up to date on SP's
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 24851613
I can connect with SSL (self signed) but it still does the same thing. I press log off then click back or go to domain.com/exchange and its back in the Inbox
0
 
LVL 65

Accepted Solution

by:
Mestha earned 25 total points
ID: 24851768
Are you seeing the forms based authentication page?
If not then you are not using cookie control, so this behaviour is to be expected.
FBA is only available through SSL and should be enabled by default.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24851772
Oh and service packs being up to date is not enough. You need to run Microsoft Update and the SBS Best Practises tool to ensure that you have all relevant updates.

Simon.
0
 
LVL 11

Assisted Solution

by:gikkel
gikkel earned 25 total points
ID: 24851906
OWA authentification is session based.  You must require SSL for users to be forced logged off after closing.  Since your logoff button isn't working correctly, I'm thinking our differences are because you require the logoff warning (to verify, view source when logged into owa, see if var G_fWarnOnLogOff=true)...and that may be the firefox/chrome issue.  
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027141
It says False. See below.
<SCRIPT language="JavaScript">
var g_iNewWindowWidth = 700;
var g_iNewWindowHeight = 500;
var g_fWarnOnLogOff=false;
function WarnOnLogOff()
{
if (g_fWarnOnLogOff)
alert("To help protect your mailbox from unauthorized access, close all browser windows when you finish using Outlook Web Access.");
}
</SCRIPT>

Open in new window

0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027219
Mestha:
The server is up to date using automatic updates.

I am running the exchange best practices tool and the only 3 issues that came back were;

1. global incoming message size not set
2. global outgoing message sie not set
3. WMI access is not possible
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027273
I turned on Form Based Authentication under Exchange Service Manager / DOMAIN / SERVERS / DOMAIN / PROTOCOLS / HTTP / EXCHANGE VIRTUAL SERVER / PROPERTIES / SETTINGS

I tried logging in again with each web browser and they all still behaved the same way.
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027403
I found this on msexchange.org (which verify's everything you guys are saying) I don't understand why Microsoft would design something that is by default such a security issue.

"In addition to this, Outlook Web Access authentication is generally session based. This means if you do not logoff and close your browser you remain logged in. Especially in public web access areas where users are unable to close the browser window it becomes quite easy for other users to read and send emails in the name of a company user."

Then they go on to say after you create a SSL certificate and turn on form authentication you will still have the same effect and that the only difference now is there will be a default timeout time of 10 minutes and emails are no longer sent in clear text.

I don't see that as anymore secure. I worry more about someone clicking the back button into my email inbox than someone scanning traffic and reading emails that are sent in clear text...
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027435
Is there a script or something someone could add to that button code so when the logoff button is clicked the connection is completely disconnected?
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027565
There we go!

Just like you guys said I configured it to force SSL use, I enabled Form Based Authentication on the Exchange directory in IIS, stopped and started the IIS directory then it started working like I want.

Thanks guys!
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question