This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I followed an article kerberos-auth-for-load-balanced-client-access and it works great with SSO into OWA and all, no issues there. SPN's are added and created successfully however, I have began to notice NON domain joined clients that were working, are getting de-authenticated after about one hour and are always getting asked to re-enter credentials. Once they enter their credentials again, they will have access for about an hour or less and then they must enter username and password again.
I am also experiencing this on my Outlook App on Android. I am always having to enter my username/password again just to update my inbox, and its really annoying. Before configuring the ASA when users login their sessions were good to go all day
What can I do that Mobile devices and other NON domain joined clients dont have to keep entering their credentials?
Other info:
I would look into your load balancer and start there.
Load balanced behind Citrix ADC
Thats usually where a timeout would be enforced.
P.S. You are far behind on the CUs for Exchange. You should be at CU16/17.
Thanks for the reply. Keep in mind the deployment has been behind the ADC for a long time, only after I added the ASA did the multiple prompts come up. There is no auth configured on the ADC just secure reverse proxy for now. and yes, it needs to be updated haha.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi Chaz,
I agree with Andy.
Hi @Chaz ,
I am writing here to confirm with you how thing going now? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Chaz ,
If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
My apologies guys, I have been able to gain better clarification on this. Please see notes below.
Users using Outlook with MAPI over HTTP work just fine as long as they select "remember credentials" upon logging in. The only issue we are having is Mobile devices using the EAS service constantly have to login frequently. The EAS clients both internal/external have the same experience. The issue persists when bypassing the Load Balancer as well.
Hi @Chaz
Ok this sounds like a different issue that got introduced. Kerberos auth is specific to Outlook clients, not ActiveSync
Are you seeing heartbeat interval errors in the event logs similar to this?
Note:
The default maximum heartbeat interval is 3,540 seconds (59 minutes).
Are there any other network devices in front of the Exchange Servers? Typically you want those devices ( firewalls, load balancers etc) to have a heartbeat interval longer than Exchange is set to,.
The hour session timeout matches up, so this may be the issue.
Yes, that is exactly the error I am seeing. Is the mobile device not sending the heartbeats to exchange by chance? or is it possible the firewall or something else is cutting the session off early?
Hi Chaz,