I would look into your load balancer and start there.
Load balanced behind Citrix ADC
Thats usually where a timeout would be enforced.
P.S. You are far behind on the CUs for Exchange. You should be at CU16/17.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I followed an article kerberos-auth-for-load-balanced-client-access and it works great with SSO into OWA and all, no issues there. SPN's are added and created successfully however, I have began to notice NON domain joined clients that were working, are getting de-authenticated after about one hour and are always getting asked to re-enter credentials. Once they enter their credentials again, they will have access for about an hour or less and then they must enter username and password again.
I am also experiencing this on my Outlook App on Android. I am always having to enter my username/password again just to update my inbox, and its really annoying. Before configuring the ASA when users login their sessions were good to go all day
What can I do that Mobile devices and other NON domain joined clients dont have to keep entering their credentials?
Other info:
I would look into your load balancer and start there.
Load balanced behind Citrix ADC
Thats usually where a timeout would be enforced.
P.S. You are far behind on the CUs for Exchange. You should be at CU16/17.
Hi Chaz,
I agree with Andy.
My apologies guys, I have been able to gain better clarification on this. Please see notes below.
Users using Outlook with MAPI over HTTP work just fine as long as they select "remember credentials" upon logging in. The only issue we are having is Mobile devices using the EAS service constantly have to login frequently. The EAS clients both internal/external have the same experience. The issue persists when bypassing the Load Balancer as well.
Hi @Chaz
Ok this sounds like a different issue that got introduced. Kerberos auth is specific to Outlook clients, not ActiveSync
Are you seeing heartbeat interval errors in the event logs similar to this?
Note:
The default maximum heartbeat interval is 3,540 seconds (59 minutes).
Are there any other network devices in front of the Exchange Servers? Typically you want those devices ( firewalls, load balancers etc) to have a heartbeat interval longer than Exchange is set to,.
The hour session timeout matches up, so this may be the issue.
Yes, that is exactly the error I am seeing. Is the mobile device not sending the heartbeats to exchange by chance? or is it possible the firewall or something else is cutting the session off early?