CAS Reboot causes login popup
-
יום שלישי 01 מאי 2012 02:25
I have seen a lot of similar threads but with different specifics that I beleive change things a bit.
We have 2 CAS servers configured in a CAS array. All DB's are set to use the CAS array. Upon reboot of a CAS server a large portion of our RPC based users (Online and Cached mode, Exchange 2010 and 2007) are prompted to authenticate (the ones that are not prompted for first CAS server reboot are prompted during second CAS server reboot). The authentication box lists the cas array name (NOT autodiscover). If a user cancles they are disconnected from Exchange, They can close and reopen outlook to reconnect, or when prompted they can authenticate. We are using NTLM auth. We are using an F5 LTM (no NLB)
I am at a loss here, clearly clients should be able to move between CAS servers without needing to reauthenticate. All the fixes I have found have very specific causes that dont seem to apply.
כל התגובות
-
יום שלישי 01 מאי 2012 02:41
i'm not sure about F5 but i observed similar behavioral w/ Netscalers. Once you arleady have established session it will prompt you for a password. However once CAS would come back up it would resume as normal.
I would try to connect directly to CAS server to make sure that it;s not F5 issue
-
יום שלישי 01 מאי 2012 03:53
If I bypass the F5 I would lose failover capability so I am not sure what I can test with that configuration.
Its as if the Outlook client is not sending NTLM credentials for some reason
-
יום שלישי 01 מאי 2012 04:23
you can eliminate issue with your appliance
I'm not saying as the solution. i'm saying that as a troubleshooting step
- נערך על-ידי Halo-NEXT יום שלישי 01 מאי 2012 04:23
-
יום שלישי 01 מאי 2012 08:15
Outlook has some (in my opinion bad logic) when it comes to talking to CAS or loadbalancer.
When you do something to your CAS or databases, outlook is notified and will try to use outlook anywhere. this is all fine but I think outlook will go to outlook anywhere without first trying to establich a new session to your LB and hopefully end up on another CAS.
Outlook also do this very quickly and to my reseaarch also ask for outlook anywhere credential before it has even tried to connect to it.
Here is some more information http://anewmessagehasarrived.blogspot.se/2011/07/outlook-authentication-popup-when.html
Some loadbalancers send a TCP reset to client when they see the monitored server (CAS) fail and this is triggering bad behavior in outlook. See if you can get the Loadbalancer not to send a TCP reset to clients when something happens to your CAS.
Also latest patches for Outlook tend to behave better when dealing wth failovers.
Another advice is not to reboot your CAS just like that, first configure your Loadbalancer to drain the connections to it before reboot.
Lasse Pettersson http://anewmessagehasarrived.blogspot.com
-
יום שלישי 01 מאי 2012 14:37
Halo-NEXT - If I eliminate the F5 for troubleshooting how do I then test failover? The issues only occurs when one box fails. If I get rid of the F5 and go to a single CAS server then I loose failover capability and the ability to test failover - in that scenario a failure of the box would eliminate service.
- נערך על-ידי jb1677 יום שלישי 01 מאי 2012 14:37
-
יום שלישי 01 מאי 2012 14:37Lasse Pettersson - Great info, I will look into what the LB is configured to do on failure. Assuming Outlook did in fact flip to RPC/HTTP I would still not expect a login prompt. These are domain memebrs and RPC/HTTP is configured to use NTLM - users are not prompted for a password when using RPC/HTTP on a normal day (much like in the article you linked). The issue occurs on Outlook 2007 and 2010 clients (patched to latest). The load balancer draining is an option but one we would like to avoid - it takes a simple reboot task that any person on the IT staff can perform and elevates it into a higher level person or two to do the work.
-
יום רביעי 02 מאי 2012 12:43
Could you try an old version of Outlook (not patched)
14.0.4760.1000
I went to Kerberos Auth and found that the older version of Outlook fails over not newer versions please see
Would be interested to see if you find the same result
Regards - John
-
יום שישי 04 מאי 2012 08:34מנחה דיון
Hello,
Any update?
Best Regards,
Lisa
-
יום רביעי 23 מאי 2012 19:46
Well spent 2 days on the phone with Microsoft grabbing network captures only for them to tell me they cant find anything wrong!
Great, still no idea why but the oldest Outlook 2010 always fails over
-
יום רביעי 23 מאי 2012 20:48
How often do your F5 poll CAS to see if it's up and running? reason for asking is that outlook seem to change timeouts on connection depending on patchlevel.
Also is the UPN mathing the SMTP domain?
Lasse Pettersson http://anewmessagehasarrived.blogspot.com
-
יום חמישי 24 מאי 2012 04:35They are Kemps, not sure on timeouts will take a look.
-
יום ראשון 03 יוני 2012 21:07Spent about 3-4 days on this with Microsoft, turns out CAS failover is not supposed to happen for a failed server even though 1 version of Outlook will fail over, "this is be design", thats what I got back from the MS Exchange design team
.png)
