로그인
 
라이브러리학습다운로드지원커뮤니티포럼
Resources for IT Professionals >
CAS Reboot causes login popup

Unanswered CAS Reboot causes login popup

  • 2012년 5월 1일 화요일 오전 2:25
     
     
    로그인하여 투표
    0

    I have seen a lot of similar threads but with different specifics that I beleive change things a bit.

    We have 2 CAS servers configured in a CAS array.  All DB's are set to use the CAS array.  Upon reboot of a CAS server a large portion of our RPC based users (Online and Cached mode, Exchange 2010 and 2007) are prompted to authenticate (the ones that are not prompted for first CAS server reboot are prompted during second CAS server reboot).  The authentication box lists the cas array name (NOT autodiscover).  If a user cancles they are disconnected from Exchange,  They can close and reopen outlook to reconnect, or when prompted they can authenticate.  We are using NTLM auth.  We are using an F5 LTM (no NLB)

    I am at a loss here, clearly clients should be able to move between CAS servers without needing to reauthenticate.  All the fixes I have found have very specific causes that dont seem to apply.

     

모든 응답

  • 2012년 5월 1일 화요일 오전 2:41
     
     
    로그인하여 투표
    0

    i'm not sure about F5 but i observed similar behavioral w/ Netscalers. Once you arleady have established session it will prompt you for a password. However once CAS would come back up it would resume as normal.

    I would try to connect directly to CAS server to make sure that it;s not F5 issue

     
  • 2012년 5월 1일 화요일 오전 3:53
     
     
    로그인하여 투표
    0

    If I bypass the F5 I would lose failover capability so I am not sure what I can test with that configuration.

    Its as if the Outlook client is not sending NTLM credentials for some reason

     
  • 2012년 5월 1일 화요일 오전 4:23
     
     
    로그인하여 투표
    0

    you can eliminate issue with your appliance

    I'm not saying as the solution. i'm saying that as a troubleshooting step


    • 편집됨 Halo-NEXT 2012년 5월 1일 화요일 오전 4:23
    •  
     
  • 2012년 5월 1일 화요일 오전 8:15
     
     
    로그인하여 투표
    0

    Outlook has some (in my opinion bad logic) when it comes to talking to CAS or loadbalancer.

    When you do something to your CAS or databases, outlook is notified and will try to use outlook anywhere. this is all fine but I think outlook will go to outlook anywhere without first trying to establich a new session to your LB and hopefully end up on another CAS.

    Outlook also do this very quickly and to my reseaarch also ask for outlook anywhere credential before it has even tried to connect to it.

    Here is some more information http://anewmessagehasarrived.blogspot.se/2011/07/outlook-authentication-popup-when.html

    Some loadbalancers send a TCP reset to client when they see the monitored server (CAS) fail and this is triggering bad behavior in outlook. See if you can get the Loadbalancer not to send a TCP reset to clients when something happens to your CAS.

    Also latest patches for Outlook tend to behave better when dealing wth failovers.

    Another advice is not to reboot your CAS just like that, first configure your Loadbalancer to drain the connections to it before reboot.

    Lasse Pettersson http://anewmessagehasarrived.blogspot.com

     
  • 2012년 5월 1일 화요일 오후 2:37
     
     
    로그인하여 투표
    0

    Halo-NEXT - If I eliminate the F5 for troubleshooting how do I then test failover?  The issues only occurs when one box fails.  If I get rid of the F5 and go to a single CAS server then I loose failover capability and the ability to test failover - in that scenario a failure of the box would eliminate service. 


    • 편집됨 jb1677 2012년 5월 1일 화요일 오후 2:37
    •  
     
  • 2012년 5월 1일 화요일 오후 2:37
     
     
    로그인하여 투표
    0
    Lasse Pettersson - Great info, I will look into what the LB is configured to do on failure.  Assuming Outlook did in fact flip to RPC/HTTP I would still not expect a login prompt.  These are domain memebrs and RPC/HTTP is configured to use NTLM - users are not prompted for a password when using RPC/HTTP on a normal day (much like in the article you linked).  The issue occurs on Outlook 2007 and 2010 clients (patched to latest).  The load balancer draining is an option but one we would like to avoid - it takes a simple reboot task that any person on the IT staff can perform and elevates it into a higher level person or two to do the work.
     
  • 2012년 5월 2일 수요일 오후 12:43
     
     
    로그인하여 투표
    0

    Could you try an old version of Outlook (not patched)

    14.0.4760.1000

    I went to Kerberos Auth and found that the older version of Outlook fails over not newer versions please see

    http://social.technet.microsoft.com/Forums/en-GB/exchange2010/thread/96afedde-70c8-4548-b088-e0d2bc94ddfd

    Would be interested to see if you find the same result

    Regards - John

     
  • 2012년 5월 4일 금요일 오전 8:34
    중재자
     
     
    로그인하여 투표
    0

    Hello,

    Any update?

    Best Regards,

    Lisa

     
  • 2012년 5월 23일 수요일 오후 7:46
     
     
    로그인하여 투표
    0

    Well spent 2 days on the phone with Microsoft grabbing network captures only for them to tell me they cant find anything wrong!

    Great, still no idea why but the oldest Outlook 2010 always fails over

     
  • 2012년 5월 23일 수요일 오후 8:48
     
     
    로그인하여 투표
    0

    How often do your F5 poll CAS to see if it's up and running? reason for asking is that outlook seem to change timeouts on connection depending on patchlevel.

    Also is the UPN mathing the SMTP domain?

    Lasse Pettersson http://anewmessagehasarrived.blogspot.com

     
  • 2012년 5월 24일 목요일 오전 4:35
     
     
    로그인하여 투표
    0
    They are Kemps, not sure on timeouts will take a look.
     
  • 2012년 6월 3일 일요일 오후 9:07
     
     
    로그인하여 투표
    0
    Spent about 3-4 days on this with Microsoft, turns out CAS failover is not supposed to happen for a failed server even though 1 version of Outlook will fail over, "this is be design", thats what I got back from the MS Exchange design team