Solved

Issues Logging Off in Outlook Web Access on Firefox & Google Chrome

Posted on 2009-07-14
14
1,403 Views
Last Modified: 2012-05-07
I have an Windows Small Business Server 2003 with Exchange 2003 (6.5) SP2 and when accessing Outlook Web Access from Internet Explorer the log off feature works fine. But when I access it from Google Chrome or Firefox and click the log off button then go back to the access page it is already logged in with the same user. I assume its just an incompatibility between Exchange and these other web browsers. But is there a patch to fix this? I don't want my users to be logged in still if they use a public computer.

Thanks!
Dan
0
Comment
Question by:filtrationproducts
  • 9
  • 3
  • 2
14 Comments
 
LVL 11

Expert Comment

by:gikkel
ID: 24850997
That doesnt seem normal...I tried to recreate from Firefox, Chrome, and Safari.  The only difference with those browsers is that when you click back, the user name remains.  The password shouldn't be saved and you definitely shouldn't be logged in.  Are you sure the account remains active?
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 24851481
Yes, If i log out I get the one window that tells you to click the close button and exit your browser to complete the log off. But when you click the Close button nothing happens in Firefox and Chrome. When in IE it will prompts you to close the browser. But even if i do not do that and go back to the domain.com/exchange page to log in (when in IE) It still re prompts me for a user name and password. In Chrome and Firefox it just goes right back into the Inbox like you never logged off.

Does this make sense?
0
 
LVL 11

Expert Comment

by:gikkel
ID: 24851586
I really don't think that is normal...when you press logoff, it should just logoff and return to the exchange login page.  Is your site setup to require SSL? (https://)   Is your server up to date?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:filtrationproducts
ID: 24851598
The site is not setup for SSL

The server is up to date on SP's
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 24851613
I can connect with SSL (self signed) but it still does the same thing. I press log off then click back or go to domain.com/exchange and its back in the Inbox
0
 
LVL 65

Accepted Solution

by:
Mestha earned 25 total points
ID: 24851768
Are you seeing the forms based authentication page?
If not then you are not using cookie control, so this behaviour is to be expected.
FBA is only available through SSL and should be enabled by default.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24851772
Oh and service packs being up to date is not enough. You need to run Microsoft Update and the SBS Best Practises tool to ensure that you have all relevant updates.

Simon.
0
 
LVL 11

Assisted Solution

by:gikkel
gikkel earned 25 total points
ID: 24851906
OWA authentification is session based.  You must require SSL for users to be forced logged off after closing.  Since your logoff button isn't working correctly, I'm thinking our differences are because you require the logoff warning (to verify, view source when logged into owa, see if var G_fWarnOnLogOff=true)...and that may be the firefox/chrome issue.  
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027141
It says False. See below.
<SCRIPT language="JavaScript">
var g_iNewWindowWidth = 700;
var g_iNewWindowHeight = 500;
var g_fWarnOnLogOff=false;
function WarnOnLogOff()
{
if (g_fWarnOnLogOff)
alert("To help protect your mailbox from unauthorized access, close all browser windows when you finish using Outlook Web Access.");
}
</SCRIPT>

Open in new window

0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027219
Mestha:
The server is up to date using automatic updates.

I am running the exchange best practices tool and the only 3 issues that came back were;

1. global incoming message size not set
2. global outgoing message sie not set
3. WMI access is not possible
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027273
I turned on Form Based Authentication under Exchange Service Manager / DOMAIN / SERVERS / DOMAIN / PROTOCOLS / HTTP / EXCHANGE VIRTUAL SERVER / PROPERTIES / SETTINGS

I tried logging in again with each web browser and they all still behaved the same way.
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027403
I found this on msexchange.org (which verify's everything you guys are saying) I don't understand why Microsoft would design something that is by default such a security issue.

"In addition to this, Outlook Web Access authentication is generally session based. This means if you do not logoff and close your browser you remain logged in. Especially in public web access areas where users are unable to close the browser window it becomes quite easy for other users to read and send emails in the name of a company user."

Then they go on to say after you create a SSL certificate and turn on form authentication you will still have the same effect and that the only difference now is there will be a default timeout time of 10 minutes and emails are no longer sent in clear text.

I don't see that as anymore secure. I worry more about someone clicking the back button into my email inbox than someone scanning traffic and reading emails that are sent in clear text...
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027435
Is there a script or something someone could add to that button code so when the logoff button is clicked the connection is completely disconnected?
0
 
LVL 1

Author Comment

by:filtrationproducts
ID: 25027565
There we go!

Just like you guys said I configured it to force SSL use, I enabled Form Based Authentication on the Exchange directory in IIS, stopped and started the IIS directory then it started working like I want.

Thanks guys!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question