question

HeavenBay-5717 avatar image
0 Votes"
HeavenBay-5717 asked emilyhua-msft edited

ARR 3.0 - Exchange 2019 CU7 DAG - OWA login loop

Hi,

I have Exchange 2019 DAG with 4 EX servers. IIS ARR 3.0 server was installed in DMZ zone for filtering purposes. I had to enable SSL offloading feature in order to forward http unencrypted traffic to upstream servers. Exchange 2019 has two CAS: frontend and backend. "SSL required" checkbox was unset on frontend side for all apps in EX servers. I found some articles how to set ARR for Exchange but not for 2019 and not for DAG. However, ARR works and Outlook app works fine through this reverse proxy. Only OWA caused the login page loop problem.

If I open owa web page, enter my credentials, page just redirects me to login page again with filled username. There are no errors in ARR logs:

     2021-06-29 16:40:22 10.0.0.6767 POST /owa/auth.owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=cd3c9628-...-5aa42f0bf118&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 13
        
     2021-06-29 16:40:22 10.0.0.6767 GET /owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.83&X-ARR-LOG-ID=b6e2f90d-...-50d96e4ec209&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 6
        
     2021-06-29 16:40:22 10.0.0.6767 GET /owa/auth/logon.aspx url=https%3a%2f%2fmail.domain.com%2fowa&reason=0&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.84&X-ARR-LOG-ID=a9cbe07a-...-d53c52885c89&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 14
        
     2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.81&X-ARR-LOG-ID=216288a5-...-a5c2db240935&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.domain.com%2fowa&reason=0 200 0 0 54
        
     2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/15.2.792/themes/resources/segoeui-regular.ttf X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=97e05718-...-84738c26e4eb&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 78

What did I miss?
Thanks!
110375-ex-1.png110382-ex-2.png110328-ex-3.png


office-exchange-server-administrationoffice-exchange-server-ha
ex-1.png (9.1 KiB)
ex-2.png (17.1 KiB)
ex-3.png (13.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @HeavenBay-5717

Would you share with us which article did you follow?
Did you follow the guide in this link: Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR

Thanks in advance for your update.


0 Votes 0 ·

Hi KaelYao-MSFT,

Thank you for an answer!
Sure, a lot of them (the mostly are copies of each other). I made a compilation of all of them. Some of them:
1. https://techcommunity.microsoft.com/t5/exchange-team-blog/part-1-reverse-proxy-for-exchange-server-2013-using-iis-arr/ba-p/592526
2. https://fiducheah.wordpress.com/2017/01/27/iis-arr-for-exchange-2016/
3. https://blog.it-kb.ru/2016/04/20/step-by-step-instruction-how-to-setting-up-publishing-exchange-server-2013-2016-using-iis-arr/

Your article says that "Select Routing Rules and uncheck Enable SSL Offloading as it is not supported in Exchange 2013." This is my fail probably. But this is for Exchange 2013 and we have 2019 with last CU. Probably something changed in this technology. I hope that and I also opened case in MS support.

0 Votes 0 ·

I also made an experiment: if I disable ARR redirection and login to OWA directly, browser gets generated cookie. If then I close this browser, enable ARR redirection and open mail.detmir.ru/owa again I WILL see my mailbox! However, if I delete all cookies, re-open browser and try to login with ARR redirection I find that cookie won’t be generated and I can’t login to OWA.

I guess that something wrong with cookie generation when OWA is using.

0 Votes 0 ·

1 Answer

WCW65-9345 avatar image
0 Votes"
WCW65-9345 answered HeavenBay-5717 commented

@HeavenBay-5717 I too have been working on this very same problem with Exch 2019 on prem. In addition to those same articles you referenced, I have also followed the instructions at:
configuring-ssl-offloading-in-exchange-2013-exchange-2013-help to enable SSL offloading.

Like you, I have narrowed the problem down to the cookie behavior and have been working through the issues highlighted in
1) enable-secure-httponly-cookies-iis
2) ensuring-secure-cookies-with-url-rewrite

But have not got it working yet.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi WCW65-9345,

configuring-ssl-offloading-in-exchange-2013-exchange-2013-help to enable SSL offloading.

Cool article - thanks! However, not work too.
0 Votes 0 ·

@HeavenBay-5717 I got it working. After ensuring you have SSL Offloading setup per the prior link I sent, you then need to ensure samesite cookies through the outbound rules.
I just followed the instructions in this article for samesite cookies and now my login loop is no longer happening. Site is working fine with SSL offload and login.

The article is part of the Url Rewriting series part 6 of 6 by the author. It has been very helpful with ARR issues for me.


2 Votes 2 ·

@WCW65-9345 Hey!

It's amazing. OWA started working like a charm! I did not immediately understand the course of your thoughts in the previous post.
Very good articles about secure flag and re-write rules.

Thank you for an awesome advise!

0 Votes 0 ·