We have a Exchange 2016 environment and are using the Exchange templates to load balance this environment. We found out leaving the defaults for redirection with OWA caused a problem, while logging in the OWA.

After the authentication the page would show for brief moment the mailbox contents and then return to the OWA authentication page. This happened for a mailbox hosted on the 2 Exchange 2016 servers and all other (2013) exchange servers disabled in the VIP.

After turning on persistence on the OWA SubVS the problem was solved. I have it currently set to SuperHTTP and on 6 minutes.

KEMP_owaI have a pending question to

Kemp support to verify this is indeed an error in the templates and if what persistence type and timeout is recommended.  I will update this post as soon as I have an answer.

For Reference, this was found on;
– Kemp VLM200, version 7.1-30-75.20150929-3018
– Service templates version 1.9
– Exchange 2013 with CU10 and Exchange 2016
– Using just HTTP Re-encryption (so no ESP/Offloading)
– We tested with different mailboxes on/off a DAG and on Exchange 2013/2016. This gave us different results, so test your own environment to see if it’s just once scenario that is your problem. In our case this happened for a mailbox which was hosted on a Exchange 2016 DAG loadbalanced with Kemp, which was unaccep

table.

And if you ran into this issue, you probably want to read this too;
Exchange 2013 Post SP1 with Kemp LoadBalancers exRCA ActiveSync error: operation timed out
Ping to MAPI Mail Store Endpoint failed in exRCA while Load balancing Exchange 2016 and 2013 with KEMP

Update:

– After testing some more, it seems this is related to the co-existing scenario. We setup a clean 2013-Cu10 environment and no persistence is needed. So be carefull in co-existence scenario’s.
– Using the “change password” or just the options button from within OWA, the browser would default back to the login page. We solved this by setting persistence on the /ecp SubVS and enabling only the exchange server which hosted the affected mailboxes and are planning to migrate the mailboxes to Exchange 2016. It seems OWA has an close integration with ecp. If this workaround is not a option for you, I would recommend doing some further testing and after that contacting Kemp support.

4 Comments

  1. […] 360 ICT Technical Blog 360 ICT Technical Blog ← Remove Host from SCVMM2012R2 OWA does not work after Load balancing Exchange 2016 while using Kemp LoadBalancers → […]

  2. […] 360 ICT Technical Blog 360 ICT Technical Blog ← OWA does not work after Load balancing Exchange 2016 while using Kemp LoadBalancers […]

  3. Jonas Stalder

    Hey Guy

    I think I’ve solved your issue. I had exactly the same.

    Use an identical cert on your Exchange Frontend server. This is because exchange creates an auth. token with the public key of the cert used. As soon as your next session is built to a second CAS, this CAS tries to decrypt the OWA token by his private key. If it is not the same, it drops your auth token cookie (you can check this with Chrome F12 => network => Preserve Log and then see the cookies in the sesions).

    Sincerly
    Jonas

    1. Dennis Pennings

      Excellent! I’m gonna try that and let you know the results! Thank you for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *