?
Solved

Time out issue with OWA. Users are being prompt to enter  their credentials within five minutes of using OWA.

Posted on 2009-12-16
31
Medium Priority
?
1,344 Views
Last Modified: 2012-05-08
Time out issue with OWA. Users are being prompt to enter  their credentials within five minutes of using OWA.

OWA repeated authentication problem, IE 8, Exchange 2003
Users are prompted for authentication in OWA within unreasonable amount of time-less than 3 minutes. For example, when they go to OWA  url, then enter their credentials, then when they click on the email, they have to enter their credentials again. After several minutes whether they are just  clicking on the email or writing an email, the session ends and they have to enter their user name and password again.
After troubleshooting all day and asking users questions. It looks like the issue is not only restricted to IE8 but happens in all browsers (I have been told so, but will be verifying today the problem across al browsers). Furthermore,  it looks like the authentication prompt is due to some kind of a time out settings  because the OWA session times out after several minutes. What I mean is that when I enter the credentials, it will not asks me for authentication right away; I can click and open emails without a prompt, but after several minutes passed by, I am prompted to enter the credentials again. Also, if someone writes an email longer than 2-3 minutes, they would have to re enter their credentials over agian.
It looks like the session is timing out within reasonable time.

Please, help

0
Comment
Question by:btptech1
  • 14
  • 13
  • 2
  • +2
31 Comments
 
LVL 10

Expert Comment

by:itsmein
ID: 26063398
sounds like the app pool is getting recycled every few minutes. how many hits are you getting on OWA in a minute? check the settings on app pool used by OWA. not saying that is the problem, but its a start

SC
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26063465
You can change the timeout by editing the followin keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
PublicClientTimeout
TrustedClientTimeout

The time you enter is in seconds.

Once you have made the change you will need to run IISRESET to restart the IIS services.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26063487
The Default Website also has a connection time out on it.

In IIS right click on the default website (or whichever one has the Exchange Virtual Directory listed) then select properties on the first tab there is a connection timeout which by default i 120 seconds.

Change this and then restart IIS again.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:btptech1
ID: 26064259
the Connection time out settings on the IIS virtual directory is set to 900 seconds.
I checked the registry by going to the following directory as you suggested:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA

There is no string or DWORD value inside the MSExchangeWeb\OWA directory such as
"PublicClientTimeout" or
"TrustedClientTimeout"

Should I create there a String or DWORD value for "PublicClientTimeoutand" and "TrustedClientTimeout"?

Thank you.


0
 
LVL 20

Expert Comment

by:Satya Pathak
ID: 26064334
Yes you can...
0
 
LVL 20

Expert Comment

by:Satya Pathak
ID: 26064340
but make sure first take a registery backup.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26064363
Yes create those keys, it's explained herhttp://support.microsoft.com/kb/830827

they are dword valuese:
0
 

Author Comment

by:btptech1
ID: 26064535
I have a question.
If we have IIS time out settings in place for 900 seconds and we will create the registry settings for "PublicClientTimeout" and "TrustedClientTimeout". What settings will be taken in the affect- IIS settings or Registry settings??
What settings take precedence?
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 26064591
the timeouts you are looking at are http keep alive times out not session ones. This are not relevant here.

Look at the app pools for this site and the asp timeouts (that is what I presume you are using) and make sure they are not too low too.

Other than that check all the OWA specfic timeouts and follow this guide for setting up OWA in Exchange 2003
http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26064628
The only ones that should count are the OWA ones I have alread mentioned above.

However I have seen the timeout one you see in IIS cause disconnections although I have only seen this with Exchange 2007

have you made the registry changes? Did it resolve the problem?
0
 

Author Comment

by:btptech1
ID: 26065924
Refering to demazter's suggestion to add registry values to the exchange.
I checked the following article: http://support.microsoft.com/kb/830827

Question regarding adding the registry settings to Enabling Form-based Authentication.

I also checked our Exchange server settings.
-Form-based Authentication is not enabled on our server.
-Also cookies timed-out settings are not set, so thats not an issue.

Will it resolve the issue if we set cookies timed out by modifying the registry?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26065980
the only keys you need to change/add are: "PublicClientTimeout" and "TrustedClientTimeout"
although I cannot remember if they are relevant when not using FBA.
0
 

Author Comment

by:btptech1
ID: 26066135
According to Rovastar's anser regarding  asp timeouts in the app pools.
Can you please give me more details how to set those settings. I checked the "ApplicationPools" and didn't find any settings such as
<%
Session.Timeout=5
%>
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26066153
I have never seen that cause a problem with timeouts in OWA
Have you tried adding the registry keys?
Its not going to cause any problems and will at least eliminate this as a resolution if it doesn't work.
0
 

Author Comment

by:btptech1
ID: 26066398
I just checked the ASP timeouts settings by godoing the following:
1. Start Internet Information Services (IIS) administration tool (snap-in) from the Control Panel.
2. Navigate to the "Default Web Site" node, right click on it and then select "Properties".
3. Click on the "Home Directory" tab, then "Configuration".

4. Click on the "Options" tab

The session time out is set to 20 minutes.



0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26066408
Have you added the reg keys: "PublicClientTimeout" and "TrustedClientTimeout"??
0
 

Author Comment

by:btptech1
ID: 26066632

PublicClientTimeout" and "TrustedClientTimeout" are relavant to Forms-Based Authentication.
According to the article that you gave me http://support.microsoft.com/kb/830827 :
To configure the time-out value, you must first enable forms-based authentication and then modify the registry settings on the server.

We have a very large environment with thousands of users.
That's why I'm trying to find out first if this something that might resolve the issue.

Also, FYI. I have tried different browsers: IE  6, IE 7, and Firefox, and there is no issue with them
There session stays active more than 5 minutes. It prompts for credentials after 15 minutes only, how it is suppose to. Only with IE 8 we have this problem.

Also, I already spent a day with Microsoft and their IE 8 team. They didn't find any solution or problem with IE8. They told me it is not the problem with IE 8

Thank you so much

We are going to try to add above mentined values to the registry and let you know if this fix the issue.
Any suggestions, please let me know

Claudia
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26066655
If you use the compatability mode in IE8 does it still disconnect?
0
 

Author Comment

by:btptech1
ID: 26067096
Yes, it works in compatibility mode in IE 8.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26067118
OK, that's something at least we have now identified the issue :-)
0
 

Author Comment

by:btptech1
ID: 26067159
Back to the beginning actually :). I started with IE 8 troubleshooting and spent all day with Microsoft IE 8 support. They said that there is no patch available and I should troubleshoot the exchange environment...
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26067163
So is this timeout happening internally or externally or both?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26067268
Is it happening inside or outside your network or both?
0
 

Author Comment

by:btptech1
ID: 26085466
It is happening only outside. No problems internally
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26086075
Do you have ISA installed?
If so recreate the Exchange publishing rule and see if that helps
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 2000 total points
ID: 26086076
There is also some timeouts you can specify in ISA see here: http://www.isaserver.org/tutorials/Using-2006-ISA-Firewall-RC-Publish-OWA-Sites-Part2.html
0
 

Author Comment

by:btptech1
ID: 26097583
Thanks, so much demazter.
Im goign to check ISA settings and let you know.
0
 

Author Comment

by:btptech1
ID: 26146450
I found the settings on ISA 2006 on Firewall policy for OWA for which is   Never use persistent cookies"
Also, below are the other settings that I found on ISA 2006 (firewall policy for OWA):
-SSL client certificate timeout is set to 300 seconds
-Client Credentials Caching is set to 300 seconds

Please, see the screen shots for the current settings.

Please, help.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26146559
Can you post the screenshots?
0
 

Author Closing Comment

by:btptech1
ID: 31666803
I have reposted this question in different zone, but the answer helped us so much to determine the problem.

Thanks so much
0
 

Author Comment

by:btptech1
ID: 26147108
ISA 2006 settings screenshot
ISAScreenshots.doc
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question