OWA/ECP login loop on Exchange 2010/13/16
On Exchange server, configuring virtual directory might be pain sometime. A simple misconfiguration of Virtual directory might be the worst nightmare and create login loop, because I had this few days back. While configuring additional CAS server after few changes done on the Virtual directory, my OWA/ECP page start to go on loop whenever I tried to get login. I was on dark what mistake I had made. So, I tried to list down what might the issue that is causing on looping of my OWA/ECP page. While listing down, I have found two things.
- SSL Certificate.
- Issue with configuration of Virtual Directory.
SSL Certificate can also be the reason behind this kind of issue. So, you need to make sure you do have correct SSL assigned with IMAP, POP, IIS and SMTP. Also 2nd thing is that SSL certificate is across all of your Exchange server. If the issue is with SSL Certificate, you are lucky and can be resolve easily. But with virtual directory it is not so.
On my Earlier Blog, you can find how to configure Virtual Directory. But as going on, I came for the conclusion with that might not be enough if OWA/ECP login loop issue arises. Hence, here I have made an Table with the specific configuration required while configuring the OWA/ECP Virtual Directory.
On the IIS Manager expand to the default web site and check if the configuration you have made are as of the below Table are not.
Table: Chart of Virtual Directory configuration.
| Virtual directory |
Default IIS Authentication methods
|
SSL settings
|
Default authentication methods
Exchange Admin Center (EAC) |
HTTP Redirect
|
Authentication Methods
Exchange Management Shell (EMS) | ||
| Sites \ Default Web Site |
• Anonymous authentication
|
• Not Required
|
Available through EAC
|
YES
|
Internal
|
External
| |
| aspnet_client | • Anonymous authentication | • SSL required |
NO
| ||||
| Autodiscover | • Anonymous authentication • Basic authentication • Windows authentication | • SSL required | • Integrated Windows authentication • Basic authentication |
No
| Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth | Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth | |
| ECP
(Exchange Control
Panel)
| • Anonymous authentication • Basic authentication | • SSL required | • Use-forms-based authentication |
No
| Basic, Fba | Fba | |
| EWS
(Exchange
Web Services)
| • Anonymous authentication • Basic authentication | • SSL required | • Integrated Windows authentication |
No
| Ntlm, WindowsIntegrated, WSSecurity, OAuth | Ntlm, WindowsIntegrated, WSSecurity, OAuth | |
| Mapi | • Windows authentication | • SSL required | Not available in EAC |
No
| Ntlm, OAuth, Negotiate | Not configured | |
| Microsoft-Server-Active-Sync | • Basic authentication | • SSL required | • Basic authentication • Ignore client certificate |
No
| Not set * All methods can be used. | Not set * All methods can be used. | |
| OAB (Offline Address Book) | • Windows authentication | None available |
No
| WindowsIntegrated, OAuth | WindowsIntegrated, OAuth | ||
| OWA (Outlook Web App) | • Basic authentication | • SSL required | • Use-forms-based authentication • Domain\user name |
No
| Basic, Fba | Basic, Fba | |
| OWA\Calendar | • Anonymous authentication | • Ignore client certificates | None available |
No
| |||
| OWA\Integrated | • Windows authentication | • SSL required • Ignore client certificates | None available |
No
| |||
| OWA\oma (Outlook Mobile Access) | • Basic authentication | • Ignore client certificates | None available |
No
| |||
| PowerShell | • Windows authentication | • Not Required | None set |
No
| {} | {} | |
| Rpc | • Basic authentication • Windows authentication | • SSL required |
No
| ||||
Similarly, only configuration of Default website is not going to solve this issue. Hence you need more Knowledge on configuration of Exchange Back End site too, else you will keep on going loop. Below is the detail configuration you can have on Exchange Back End.
Table: Exchange Back End Virtual Directory Configuration.
| Virtual directory | IIS Default Authentication methods | IIS SSL settings | HTTP Redirect |
| Exchange Back End | • Not Required | Yes | |
| Autodiscover | • Anonymous authentication • Windows authentication | • SSL required • Ignore client certificates | No |
| ecp | • Anonymous authentication • Windows authentication | • SSL required • Ignore client certificates | No |
| EWS | • Anonymous authentication • Windows authentication | • SSL required • Ignore client certificates | No |
| Exchange* | • SSL required • Ignore client certificates | No | |
| Exchweb* | • SSL required • Ignore client certificates | No | |
| mapi* | • Anonymous authentication | • SSL required • Ignore client certificates | No |
| Microsoft-Server-ActiveSync | • Basic authentication | • SSL required • Ignore client certificates | No |
| OAB | • Windows authentication | • SSL required • Ignore client certificates | No |
| owa | • Anonymous authentication • Windows authentication | • SSL required • Ignore client certificates | No |
| owa\Calender | • Anonymous authentication | • Ignore client certificates | No |
| PowerShell | • Windows authentication | • SSL required • Accept client certificates | No |
| Public* | • SSL required • Ignore client certificates | No | |
| PushNotifications | • Anonymous authentication • Windows authentication | • SSL required • Ignore client certificates | No |
| Rpc | • Windows authentication | • Ignore client certificates | No |
| RpcWithCert | • Windows authentication | • Ignore client certificates | No |
I hope this will help you solving the Exchange OWA/ECP login loop issue. 
No comments:
Post a Comment