ARR 3.0 - Exchange 2019 CU7 DAG - OWA login loop

HeavenBay 21 Reputation points
2021-06-29T16:59:31.243+00:00

Hi,

I have Exchange 2019 DAG with 4 EX servers. IIS ARR 3.0 server was installed in DMZ zone for filtering purposes. I had to enable SSL offloading feature in order to forward http unencrypted traffic to upstream servers. Exchange 2019 has two CAS: frontend and backend. "SSL required" checkbox was unset on frontend side for all apps in EX servers. I found some articles how to set ARR for Exchange but not for 2019 and not for DAG. However, ARR works and Outlook app works fine through this reverse proxy. Only OWA caused the login page loop problem.

If I open owa web page, enter my credentials, page just redirects me to login page again with filled username. There are no errors in ARR logs:

    2021-06-29 16:40:22 10.0.0.6767 POST /owa/auth.owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=cd3c9628-...-5aa42f0bf118&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 13  
      
    2021-06-29 16:40:22 10.0.0.6767 GET /owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.83&X-ARR-LOG-ID=b6e2f90d-...-50d96e4ec209&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 6  
      
    2021-06-29 16:40:22 10.0.0.6767 GET /owa/auth/logon.aspx url=https%3a%2f%2fmail.domain.com%2fowa&reason=0&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.84&X-ARR-LOG-ID=a9cbe07a-...-d53c52885c89&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 14  
      
    2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.81&X-ARR-LOG-ID=216288a5-...-a5c2db240935&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.domain.com%2fowa&reason=0 200 0 0 54  
      
    2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/15.2.792/themes/resources/segoeui-regular.ttf X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=97e05718-...-84738c26e4eb&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 78  
  

What did I miss?
Thanks!
110375-ex-1.png110382-ex-2.png110328-ex-3.png

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,606 questions
{count} votes

Accepted answer
  1. WCW65 91 Reputation points
    2021-06-30T12:52:51.23+00:00

    @HeavenBay I too have been working on this very same problem with Exch 2019 on prem. In addition to those same articles you referenced, I have also followed the instructions at:
    configuring-ssl-offloading-in-exchange-2013-exchange-2013-help to enable SSL offloading.

    Like you, I have narrowed the problem down to the cookie behavior and have been working through the issues highlighted in

    1. enable-secure-httponly-cookies-iis
    2. ensuring-secure-cookies-with-url-rewrite

    But have not got it working yet.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.