Time out issue with OWA. Users are being prompt to enter their credentials within five minutes of using OWA.

Time out issue with OWA. Users are being prompt to enter  their credentials within five minutes of using OWA.

OWA repeated authentication problem, IE 8, Exchange 2003
Users are prompted for authentication in OWA within unreasonable amount of time-less than 3 minutes. For example, when they go to OWA  url, then enter their credentials, then when they click on the email, they have to enter their credentials again. After several minutes whether they are just  clicking on the email or writing an email, the session ends and they have to enter their user name and password again.
After troubleshooting all day and asking users questions. It looks like the issue is not only restricted to IE8 but happens in all browsers (I have been told so, but will be verifying today the problem across al browsers). Furthermore,  it looks like the authentication prompt is due to some kind of a time out settings  because the OWA session times out after several minutes. What I mean is that when I enter the credentials, it will not asks me for authentication right away; I can click and open emails without a prompt, but after several minutes passed by, I am prompted to enter the credentials again. Also, if someone writes an email longer than 2-3 minutes, they would have to re enter their credentials over agian.
It looks like the session is timing out within reasonable time.

Please, help

btptech1Asked:
Who is Participating?
 
Glen KnightCommented:
There is also some timeouts you can specify in ISA see here: http://www.isaserver.org/tutorials/Using-2006-ISA-Firewall-RC-Publish-OWA-Sites-Part2.html
0
 
itsmeinCommented:
sounds like the app pool is getting recycled every few minutes. how many hits are you getting on OWA in a minute? check the settings on app pool used by OWA. not saying that is the problem, but its a start

SC
0
 
Glen KnightCommented:
You can change the timeout by editing the followin keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
PublicClientTimeout
TrustedClientTimeout

The time you enter is in seconds.

Once you have made the change you will need to run IISRESET to restart the IIS services.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Glen KnightCommented:
The Default Website also has a connection time out on it.

In IIS right click on the default website (or whichever one has the Exchange Virtual Directory listed) then select properties on the first tab there is a connection timeout which by default i 120 seconds.

Change this and then restart IIS again.
0
 
btptech1Author Commented:
the Connection time out settings on the IIS virtual directory is set to 900 seconds.
I checked the registry by going to the following directory as you suggested:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA

There is no string or DWORD value inside the MSExchangeWeb\OWA directory such as
"PublicClientTimeout" or
"TrustedClientTimeout"

Should I create there a String or DWORD value for "PublicClientTimeoutand" and "TrustedClientTimeout"?

Thank you.


0
 
Satya PathakLead Technical ConsultantCommented:
Yes you can...
0
 
Satya PathakLead Technical ConsultantCommented:
but make sure first take a registery backup.
0
 
Glen KnightCommented:
Yes create those keys, it's explained herhttp://support.microsoft.com/kb/830827

they are dword valuese:
0
 
btptech1Author Commented:
I have a question.
If we have IIS time out settings in place for 900 seconds and we will create the registry settings for "PublicClientTimeout" and "TrustedClientTimeout". What settings will be taken in the affect- IIS settings or Registry settings??
What settings take precedence?
0
 
RovastarCommented:
the timeouts you are looking at are http keep alive times out not session ones. This are not relevant here.

Look at the app pools for this site and the asp timeouts (that is what I presume you are using) and make sure they are not too low too.

Other than that check all the OWA specfic timeouts and follow this guide for setting up OWA in Exchange 2003
http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html
0
 
Glen KnightCommented:
The only ones that should count are the OWA ones I have alread mentioned above.

However I have seen the timeout one you see in IIS cause disconnections although I have only seen this with Exchange 2007

have you made the registry changes? Did it resolve the problem?
0
 
btptech1Author Commented:
Refering to demazter's suggestion to add registry values to the exchange.
I checked the following article: http://support.microsoft.com/kb/830827

Question regarding adding the registry settings to Enabling Form-based Authentication.

I also checked our Exchange server settings.
-Form-based Authentication is not enabled on our server.
-Also cookies timed-out settings are not set, so thats not an issue.

Will it resolve the issue if we set cookies timed out by modifying the registry?
0
 
Glen KnightCommented:
the only keys you need to change/add are: "PublicClientTimeout" and "TrustedClientTimeout"
although I cannot remember if they are relevant when not using FBA.
0
 
btptech1Author Commented:
According to Rovastar's anser regarding  asp timeouts in the app pools.
Can you please give me more details how to set those settings. I checked the "ApplicationPools" and didn't find any settings such as
<%
Session.Timeout=5
%>
0
 
Glen KnightCommented:
I have never seen that cause a problem with timeouts in OWA
Have you tried adding the registry keys?
Its not going to cause any problems and will at least eliminate this as a resolution if it doesn't work.
0
 
btptech1Author Commented:
I just checked the ASP timeouts settings by godoing the following:
1. Start Internet Information Services (IIS) administration tool (snap-in) from the Control Panel.
2. Navigate to the "Default Web Site" node, right click on it and then select "Properties".
3. Click on the "Home Directory" tab, then "Configuration".

4. Click on the "Options" tab

The session time out is set to 20 minutes.



0
 
Glen KnightCommented:
Have you added the reg keys: "PublicClientTimeout" and "TrustedClientTimeout"??
0
 
btptech1Author Commented:

PublicClientTimeout" and "TrustedClientTimeout" are relavant to Forms-Based Authentication.
According to the article that you gave me http://support.microsoft.com/kb/830827 :
To configure the time-out value, you must first enable forms-based authentication and then modify the registry settings on the server.

We have a very large environment with thousands of users.
That's why I'm trying to find out first if this something that might resolve the issue.

Also, FYI. I have tried different browsers: IE  6, IE 7, and Firefox, and there is no issue with them
There session stays active more than 5 minutes. It prompts for credentials after 15 minutes only, how it is suppose to. Only with IE 8 we have this problem.

Also, I already spent a day with Microsoft and their IE 8 team. They didn't find any solution or problem with IE8. They told me it is not the problem with IE 8

Thank you so much

We are going to try to add above mentined values to the registry and let you know if this fix the issue.
Any suggestions, please let me know

Claudia
0
 
Glen KnightCommented:
If you use the compatability mode in IE8 does it still disconnect?
0
 
btptech1Author Commented:
Yes, it works in compatibility mode in IE 8.
0
 
Glen KnightCommented:
OK, that's something at least we have now identified the issue :-)
0
 
btptech1Author Commented:
Back to the beginning actually :). I started with IE 8 troubleshooting and spent all day with Microsoft IE 8 support. They said that there is no patch available and I should troubleshoot the exchange environment...
0
 
Glen KnightCommented:
So is this timeout happening internally or externally or both?
0
 
Glen KnightCommented:
Is it happening inside or outside your network or both?
0
 
btptech1Author Commented:
It is happening only outside. No problems internally
0
 
Glen KnightCommented:
Do you have ISA installed?
If so recreate the Exchange publishing rule and see if that helps
0
 
btptech1Author Commented:
Thanks, so much demazter.
Im goign to check ISA settings and let you know.
0
 
btptech1Author Commented:
I found the settings on ISA 2006 on Firewall policy for OWA for which is   Never use persistent cookies"
Also, below are the other settings that I found on ISA 2006 (firewall policy for OWA):
-SSL client certificate timeout is set to 300 seconds
-Client Credentials Caching is set to 300 seconds

Please, see the screen shots for the current settings.

Please, help.
0
 
Glen KnightCommented:
Can you post the screenshots?
0
 
btptech1Author Commented:
I have reposted this question in different zone, but the answer helped us so much to determine the problem.

Thanks so much
0
 
btptech1Author Commented:
ISA 2006 settings screenshot
ISAScreenshots.doc
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.