Exchange 2010 / 2016 mixed - OWA/ECP invalid canary

John Ruddy 16 Reputation points
2021-06-11T08:14:14.207+00:00

Hi

Already posted a couple of questions regarding our Exchange 2010 -> 2016 migration and here's another.

Exchange 2010 SP3 with Rollup 32. Exchange 2016 CU 20

Mail flow is now via the 2016 server.

Staff and IT use OWA to set out of office messages for themselves and other staff.

They are now getting the "Invalid Canary" message when trying to do this. I've seen references to this from years ago which say it's fixed in 2010 SP3, but we already have this installed.

I have also found this link where someone says they have just started getting the issue after installing the recent 2021 Exchange security updates. Our 2016 is a fresh install so would have had these updates installed already.

https://practical365.com/microsoft-issues-critical-security-updates-for-exchange-server/

The second comment on the above link is the same setup as us and no-one replied to the person's query.

I have checked the case of both the owa and ecp URLs and they are all now lowercase. I have also rebooted both servers with no success.

If I change the link in the browser for owa/ecp to the local 2010 servername we don't then get the error. But we can't get staff to do this as they know the mail server by external url.

This could end up being a major issue so I'm hoping there is a fix for this.

Thanks

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,626 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,096 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. John Ruddy 16 Reputation points
    2021-07-13T13:37:33.167+00:00

    Hi

    I did some testing with Chrome in a VM. I downloaded a couple of older versions of Chrome (7.6 & 7.9) plus v8.1

    When I was running 7.6 & 7.9 I could do what I needed to in OWA. As soon as I updated to 8.1 the invalid canary message appeared. I would think that now that Edge is based on the Chrome engine, this is why it will have the same problem.

    I then found this page:

    https://piunikaweb.com/2021/06/14/google-chrome-flags-for-samesite-cookies-taken-away-after-update-v91/

    Part way down it states:

    "Those who wish to disable the said SameSite flags can do so by adding –disable-features=SameSiteByDefaultCookies or –disable-features=CookieswithoutSameSitemustbesecure in the Target field of the Google Chrome or Microsoft Edge properties and restart the web browser."

    I tried this and it does seem to work with both Chrome and Edge. This is workable for myself and other admins but not suitable for end users. They'd be as well sticking to I.E. so long as it keeps working.

    Unfortunately it also states further down that page:

    "However, this workaround will only work until the Google Chrome 94 update as the said command line flags will be removed after that."

    I don't know if it means the flags setting won't take effect after this or it just means the setting would be removed from the command line. I think it's probably the former so this fix would no longer work.

    We're not the only ones to have this issue so I wish Microsoft would come up with a proper solution.

    I know I could probably log a call with MS but the cost is probably prohibitive - don't know how much support calls cost these days.

    Thanks

    1 person found this answer helpful.
    0 comments No comments

  2. John Ruddy 16 Reputation points
    2021-07-13T14:29:40.153+00:00

    Hi
    OK - I've done a bit more digging and found various references to the sitecookie behaviour setting in Chrome/Edge.

    https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::LegacySameSiteCookieBehaviorEnabled

    Also this one - but I haven't yet worked out the format for this one to enter specific domains, which I think would be better for what we need.

    https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::LegacySameSiteCookieBehaviorEnabledForDomainList

    The first link above I followed and edited the registry on my own pc and created the registry entry in the screenshot.

    114311-image.png

    This actually seems to work so I'm hoping I might be able to create a GPO with this or preferably the entry which allows using a specific domain.

    I'll keep testing but hope this helps someone if it works.

    Thanks

    1 person found this answer helpful.
    0 comments No comments

  3. John Ruddy 16 Reputation points
    2021-07-13T17:25:36.653+00:00

    Hi

    Further update.

    Looks like both the settings work for Chrome and Edge and it should hopefully, in theory, be a matter of implementing either of these in a GPO rather than manually using regedit.

    The format for the domain specific setting is shown in this link:

    https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#legacysamesitecookiebehaviorenabledfordomainlist

    SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\1 = "www.example.com"
    SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\2 = "[*.]example.edu"

    I used the [*.]domain-name.com option and it seemed to work.

    On Google's site it mentions that support for this setting is likely to end at some point but I'm hoping it will work long enough for me to migrate our mailboxes.

    Again, hope this helps someone who might have the same issues.

    Thanks

    1 person found this answer helpful.

  4. Yuki Sun-MSFT 41,051 Reputation points Microsoft Vendor
    2021-06-14T02:45:29.19+00:00

    Hi @John Ruddy ,

    Before going futher, in order to view the build number and check if all the security updates for your Exchange server have been applied, you can follow this link, download and run the latest version of HealthChecker script.

    Besides, according to your description, this is only affecting user mailboxes still resides on Exchange 2010, right? If this is the case, I'd suggest moving one of the affected mailbox to Exchange 2016 and see the result. If it works after moving to Exchange 2016, considering that Exchange 2010 has already reached the end of support, I'd recommend speeding up the migration process and proceeding to move all the remaining mailboxes to Exchange 2016 to avoid the "Invalid Canary" issue.

    In case currently you are not able to move all mailboxes to Exchange 2016, then please collect the following informaiton for further troubleshooting:

    1. If possible, could you remove all sensitive informaiton involved and share a screenshot or the detailed error message of "Invalid Canary" so that we can see if more clues can be found?
    2. When the error occurs, check the Event Viewer on the Exchange 2010 server and see if there are any relevant events recorded out there.
    3. Try testing with different browers and also check it by opening the browser in private mode to see if there's any difference.

    Any findings, feel free to post back.


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  5. John Ruddy 16 Reputation points
    2021-06-15T09:42:06.857+00:00

    105782-invalid-canary.jpg

    Hi
    I have uploaded a screenshot of the error. It happens when you click Save when making any changes to the Out of Office message.

    The 2010 server seems to give 3 event messages - 39, 38 & 4

    Event 39
    Current User: '"domain.name/User1" on behalf of "domain.name/user2"'
    Unique Key: 'S-1-5-21-545268291-1463314663-1478062314-4000'
    Cookie Name: 'msExchEcpCanary'
    Exchange Control Panel detected an invalid canary in cookie from request for URL 'https://exch2010-server/ecp/Organize/AutomaticReplies.svc/SetObject?msExchEcpCanary=foItQpLsFkCaujUC3CM6rp_2mR-KH9kIk_tefe4gFw7EgI9GCSR83bsKcGkTu1kzaSxqZrWMsUQ.'.
    Canary in cookie: 'foItQpLsFkCaujUC3CM6rp_2mR-KH9kIk_tefe4gFw7EgI9GCSR83bsKcGkTu1kzaSxqZrWMsUQ.'.
    Reset canary cookie for user

    Event 38
    Current User: '" domain.name/User1" on behalf of " domain.name/user2"'
    Exchange Control Panel detected an invalid canary from request for URL 'https://exch2010-server/ecp/Organize/AutomaticReplies.svc/SetObject'.
    Canary in cookie: '6dK4SoN_UUuszeM-oISiMIi0nw9uMdkITfUU6lnNx23yN8HqvIb7KNuCB_g4paYgJOQXVmzN8uk.' mismatch with canary in header/form: ', in URL '.

    Event 4
    Current user: '" domain.name/User1" on behalf of "domain.name/user2"'
    Request for URL 'https:// exch2010-server/ecp/Organize/AutomaticReplies.svc/SetObject' failed with the following error:
    System.ServiceModel.FaultException: Invalid Canary
    at Microsoft.Exchange.Management.ControlPanel.RbacModule.Application_PostAuthenticateRequest(Object sender, EventArgs e)
    at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    The process seems to work, for me, using Internet Explorer but not Chrome or Edge. While using I.E. might be a workaround, we don't really want to encourage people to be using I.E. so we'd rather get a proper fix for the issue.

    Agree that migrating all the users is likely to get round the issue but there are hundreds of mailboxes and I'm not happy just to rush through them all without mitigating any problems as we go.

    Thanks


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.