Issues Logging Off in Outlook Web Access on Firefox & Google Chrome

I have an Windows Small Business Server 2003 with Exchange 2003 (6.5) SP2 and when accessing Outlook Web Access from Internet Explorer the log off feature works fine. But when I access it from Google Chrome or Firefox and click the log off button then go back to the access page it is already logged in with the same user. I assume its just an incompatibility between Exchange and these other web browsers. But is there a patch to fix this? I don't want my users to be logged in still if they use a public computer.

Thanks!
Dan
LVL 1
filtrationproductsAsked:
Who is Participating?
 
MesthaCommented:
Are you seeing the forms based authentication page?
If not then you are not using cookie control, so this behaviour is to be expected.
FBA is only available through SSL and should be enabled by default.

Simon.
0
 
gikkelCommented:
That doesnt seem normal...I tried to recreate from Firefox, Chrome, and Safari.  The only difference with those browsers is that when you click back, the user name remains.  The password shouldn't be saved and you definitely shouldn't be logged in.  Are you sure the account remains active?
0
 
filtrationproductsAuthor Commented:
Yes, If i log out I get the one window that tells you to click the close button and exit your browser to complete the log off. But when you click the Close button nothing happens in Firefox and Chrome. When in IE it will prompts you to close the browser. But even if i do not do that and go back to the domain.com/exchange page to log in (when in IE) It still re prompts me for a user name and password. In Chrome and Firefox it just goes right back into the Inbox like you never logged off.

Does this make sense?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
gikkelCommented:
I really don't think that is normal...when you press logoff, it should just logoff and return to the exchange login page.  Is your site setup to require SSL? (https://)   Is your server up to date?
0
 
filtrationproductsAuthor Commented:
The site is not setup for SSL

The server is up to date on SP's
0
 
filtrationproductsAuthor Commented:
I can connect with SSL (self signed) but it still does the same thing. I press log off then click back or go to domain.com/exchange and its back in the Inbox
0
 
MesthaCommented:
Oh and service packs being up to date is not enough. You need to run Microsoft Update and the SBS Best Practises tool to ensure that you have all relevant updates.

Simon.
0
 
gikkelCommented:
OWA authentification is session based.  You must require SSL for users to be forced logged off after closing.  Since your logoff button isn't working correctly, I'm thinking our differences are because you require the logoff warning (to verify, view source when logged into owa, see if var G_fWarnOnLogOff=true)...and that may be the firefox/chrome issue.  
0
 
filtrationproductsAuthor Commented:
It says False. See below.
<SCRIPT language="JavaScript">
var g_iNewWindowWidth = 700;
var g_iNewWindowHeight = 500;
var g_fWarnOnLogOff=false;
function WarnOnLogOff()
{
if (g_fWarnOnLogOff)
alert("To help protect your mailbox from unauthorized access, close all browser windows when you finish using Outlook Web Access.");
}
</SCRIPT>

Open in new window

0
 
filtrationproductsAuthor Commented:
Mestha:
The server is up to date using automatic updates.

I am running the exchange best practices tool and the only 3 issues that came back were;

1. global incoming message size not set
2. global outgoing message sie not set
3. WMI access is not possible
0
 
filtrationproductsAuthor Commented:
I turned on Form Based Authentication under Exchange Service Manager / DOMAIN / SERVERS / DOMAIN / PROTOCOLS / HTTP / EXCHANGE VIRTUAL SERVER / PROPERTIES / SETTINGS

I tried logging in again with each web browser and they all still behaved the same way.
0
 
filtrationproductsAuthor Commented:
I found this on msexchange.org (which verify's everything you guys are saying) I don't understand why Microsoft would design something that is by default such a security issue.

"In addition to this, Outlook Web Access authentication is generally session based. This means if you do not logoff and close your browser you remain logged in. Especially in public web access areas where users are unable to close the browser window it becomes quite easy for other users to read and send emails in the name of a company user."

Then they go on to say after you create a SSL certificate and turn on form authentication you will still have the same effect and that the only difference now is there will be a default timeout time of 10 minutes and emails are no longer sent in clear text.

I don't see that as anymore secure. I worry more about someone clicking the back button into my email inbox than someone scanning traffic and reading emails that are sent in clear text...
0
 
filtrationproductsAuthor Commented:
Is there a script or something someone could add to that button code so when the logoff button is clicked the connection is completely disconnected?
0
 
filtrationproductsAuthor Commented:
There we go!

Just like you guys said I configured it to force SSL use, I enabled Form Based Authentication on the Exchange directory in IIS, stopped and started the IIS directory then it started working like I want.

Thanks guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.