We help IT Professionals succeed at work.

Exchange 2003 OWA reauthentication prompt

leporej092170
on
Hi,
I have an Exchange 2010 CAS server connected to a hardware load balancer and also have an Exchange 2003 front end server providing OWA access for users with mailboxes still on Exchange 2003. Any user who connects to Exchange 2010 OWA is working just fine however any Exchange 2003 mailbox user who comes in through the load balancer and the CAS who gets redirected to the Exchange 2003 front end server gets prompted a second time for their credentials before they are able to access their mailbox through OWA. Anyone have any idea why this happens and how to resolve this issue? Is it an Exchange configuration setting? This works just fine if the hardware load balancer is out of the picture. Any ideas? Thank you.
Comment
Watch Question

I've never used load balancing (I'm a developer, so I don't really get to play with that sort of thing).  But if you have forms-based authentication enabled (you probably have), then it may help you to know that FBA is a cookie-based authentication scheme.  So, if at any time during your OWA logon process, you see the server name change in the browser address bar (maybe you get redirected to a different name for the same server), then the cookies for the original server name will not be sent, and you will need to reauthenticate.
I saw that same thing when we were teasing before migrating. I had two Exchange servers; 2010 and 2003. No front end/ back end config, just an old and a new. If I came in from the 2003 OWA trying to access a 2010 mailbox, it would just go. If I tried what you do, I would have to authenticate twice. And it's because the one server doesn't know how to hand off to the other one securely; not sure I have a technical reason and the one given above may be about as good as it gets. Not sure there's a way to get around it either. We didn't even try since the migration was going to be short and we just kept two accesses for old and new OWA up and running.
If it is a cookies problem (which it will be if you see the server name in the address bar change at any time after you type in your credentials), you will need to find a way of making it stay the same.  To do this, you can set the internal and external URLs of your OWA installation (how you do it depends in which version you have).  Or, if the server name has changed, just use that in your URL, instead of whatever else you used to start with.  For example, if you go to
https://www.yourdomain.com/exchange
login, and find yourself at
https://mail.yourdomain.com/exchange
(they are the same machine, but the OWA external URL has been set to the second one), you wil find yourself having to log in again, because cookies are only good for one server name.

Author

Commented:
Any idea why this works when the hardware load balancer is out of the picture? Is there anything with regard to load balancer technology that might cause this issue? thank you.
I don't know; like I say, I've never used one.  All I can tell you is that that the OWA FBA mechanism relies on cookies.  I can't imagine that putting a load balncer in the way would affect anything - the cookies don't need to be exchanged with any one server in the array, assuming they have the same name.  I assume that the servers are in a cluster (i.e. they all appear to have a single network name), and the load balancer just distributes incoming network traffic between them.

Did you have a look at the server name in the address bar to see if it changed?  Even slightly?

Author

Commented:
Thanks for the help.