none
Exchange 2016 Logoff does not generate logoff request RRS feed

  • Question

  • When logged into exchange 2016 OWA we notice that on clicking the "logoff" button this does not trigger a

    GET /owa/logoff.owa. This is used by our Reverse Proxy for terminating connections (Similiar to TMG)

     

    However when using ECP this does trigger this logoff string.

    How can a logoff string be generated in Exchange 2016.

    Tuesday, January 5, 2016 12:02 PM

All replies

  • Hi,

    Based on my knowledge, when using OWA, and when you click on sign out:

    Client initiates logoff with the request to “/owa/logoff.owa”

    The server sends to client a 302 redirect to the landing page “/owa/auth/signout.aspx”

    For exchange 2013, the "logoff" button does not trigger logoff string by default. And The legacy logoff mode can be enabled (disabling redirect to signout.aspx) by changing 3 web.config files.

    On servers with the Client Access role;

    %ExchangeInstallPath%\FrontEnd\HttpProxy\OWA\web.config

    On servers with the Mailbox Role;

    %ExchangeInstallPath%\ClientAccess\OWA\web.config
    %ExchangeInstallPath%\ClientAccess\ECP\web.config

    Remove the following line and do iisreset(make sure you make a backup of web.config before you do this):

    <add key="LogonSettings.SignOutKind" value="LegacyLogOff" />

    But I couldn't perform the same thing for exchange 2016, I will continue to do some search and test to let you know.

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Wednesday, January 6, 2016 9:17 AM
    Moderator
  • What reverse proxy are you using out of curiosity?

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, January 8, 2016 2:30 AM
  • The reverse proxy been used to the Kemp Loadmaster which is using basic authentication to the Exchange server with forms based Auth on the client side.

    Previously in Exch 2013  we were using the logoff sting to clear the Forms based authentication/cookies sessions.

    http://kemptechnologies.com/microsoft-load-balancing/microsoft-forefront-tmg-replacement/

    thanks

    Friday, January 8, 2016 12:21 PM
  • Hi,

    Based on my knowledge, when using OWA, and when you click on sign out:

    Client initiates logoff with the request to “/owa/logoff.owa”

    The server sends to client a 302 redirect to the landing page “/owa/auth/signout.aspx”

    For exchange 2013, the "logoff" button does not trigger logoff string by default. And The legacy logoff mode can be enabled (disabling redirect to signout.aspx) by changing 3 web.config files.

    On servers with the Client Access role;

    %ExchangeInstallPath%\FrontEnd\HttpProxy\OWA\web.config

    On servers with the Mailbox Role;

    %ExchangeInstallPath%\ClientAccess\OWA\web.config
    %ExchangeInstallPath%\ClientAccess\ECP\web.config

    Remove the following line and do iisreset(make sure you make a backup of web.config before you do this):

    <add key="LogonSettings.SignOutKind" value="LegacyLogOff" />

    But I couldn't perform the same thing for exchange 2016, I will continue to do some search and test to let you know.

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    I tried this on Exchange 2016/2010 mixed mode with TMG 2010 and it seems to work.  Do you know why Microsoft decided to back off the proposed change in CU9?  I guess this means we have to re-do this step after every Exchange patch.

    http://blogs.technet.com/b/exchange/archive/2015/01/12/owa-forms-based-auth-logoff-changes-in-exchange-2013-cumulative-update-8-and-good-news-for-tmg-customers.aspx

    Tuesday, February 23, 2016 8:15 PM
  • I do not see "<add key="LogonSettings.SignOutKind" value="LegacyLogOff" />" in the web.config files mentioned.  Was this removed in Exchange 2016 CU1?  How does one address this issue on CU1 and beyond?

    Ben

    Wednesday, June 15, 2016 6:51 PM
  • I do not see "<add key="LogonSettings.SignOutKind" value="LegacyLogOff" />" in the web.config files mentioned.  Was this removed in Exchange 2016 CU1?  How does one address this issue on CU1 and beyond?

    Ben

    Ben, have you figured this one out? We are suffering the same issue. Through TMG 2010 as well as through WebApp Proxy by the way.
    Saturday, August 13, 2016 3:02 PM
  • 2016 CU2. We have the same issue.

    Gents, is there any news ?

    Can anyone open a case in MS ?

    web.config is not working for CU2.


    mcse^4

    Monday, August 15, 2016 12:10 PM
  • Hi Lynn, any news on this one for Exchange 2016?

    Thanks!


    Thanks, regards, tim

    Wednesday, October 5, 2016 1:16 PM
  • Hi Lynn, any news on this one for Exchange 2016?

    Thanks!


    Thanks, regards, tim


    +1, hope Microsoft can add LegacyLogoff back.  It was removed back in CU1 :o(
    Wednesday, October 5, 2016 1:23 PM
  • I am desperate to have this fixed. I am stuck on Exchange 2016 RTM at the moment to keep logoff working. With this RTM version I am experiencing the TNEF bug on converting RTF to HTML mail for external domains which causes mail to hang up in the queue. I really need to be able to patch my Exchange 2016 infrastructure but can't due to not being able to capture the logoff. Its a show stopper... Anyone figure anything out? I've been fighting with it for quite some time now and no luck..

    Mike

    Friday, October 7, 2016 6:56 PM
  • Same here. I'm replying here so I get updates on this thread. This is bugging us ever since we moved to Exhcange 2016. We use WebApp Proxy together with ADFS to deploy OWA to the outside, just as MS wants us to. However, even when I access OWA from the inside, bypassing any firewalls, SSL proxies or anything at all the logoff button does not actually log off the session, but shows a message to close all your browser screens. Now that's an annoying 'feature' to say the least.

    Curious if this gets fixed anytime soon.

    Wednesday, October 12, 2016 3:27 PM
  • We have the same problem Exchange behind a Kemp Load Balancer. Hi Microsoft, is there a solution or did we miss something important?

    Thanks 

    John


    Thank you John

    Wednesday, November 30, 2016 12:51 PM
  • I'm looking for answers to this as well. I had to change authentication to form based but now users have to login twice: once for TMG and once for Exchange.
    Saturday, December 10, 2016 4:39 PM
  • Does anyone have an update? We've published OWA through WAP / ADFS as per MS recommendations at the time, and now we suffer this issue still.
    Monday, May 1, 2017 10:10 AM
  • We have the same problem with our Citrix Netscaler working as Reverse Proxy.

    Netscaler and Exchange 2013 CU15 working well (if we configure "SignOutKind" in Exchange OWA web.config)

    In Exchange 2016 CU4 this option isn't available.

    All other Reverse Proxy configuration is working well, FBA on Netscaler and SingleSignOn to Exchange 2016 OWA. Only at logoff we get an annoying popup to close the window, but we cant terminate the session on Netscaler.

    Yesterday I talked to Microsoft Support.

    The actual statement is "works as designed", but they would talk to product manager and give me an feedback until next week.

    If there is no option yet, we create a feature request for this.


    Freundliche Grüsse Tobias Schiessl

    Wednesday, May 10, 2017 7:20 AM
  • UNSUPPORTED FIX BELOW

    We're using Kemp as TMG remplacement, was in the same situation. Promised our client that signout would work after they announced that they fixed it in 2013/2016. So we had to make this work. This is a one liner to make it work.

    I cannot guarantee this will work on future version. This is functionning in our Exchange 2016 CU#6 build 15.1.1034.26.

    THE FIX :

    Edit Exchange\V15\ClientAccess\Owa\prem\15.1.1034.26\scripts\microsoft.owa.core.models.js

    Add this line

    $(document).ready(function(){ $('._ho2_2').click(function () { $('body > div:last-child ._abs_c div[role=menu] > div > div:last-child > button').on('click', function () { window.location.href= './logoff.owa' }) })  });

    Save & iisreset

    When you logout, the pop-up come up but the logoff work a split second later which is way better than no logoff. It seems to be non language specific fix as it's just looking for the last item in the dropdown menu. Thought I'd share since we spent some time with a webdev pondering on this fix.

    Let us know if it work for you or if you know any way to improve it !

    Thanks




    • Proposed as answer by INFSC Tuesday, August 15, 2017 3:32 PM
    • Edited by INFSC Tuesday, August 15, 2017 3:34 PM
    Tuesday, August 15, 2017 3:30 PM
  • Let us know if it work for you or if you know any way to improve it !

    Works on 15.1.1261.35 (CU7). Appreciate the post.

    Not pretty, though - this should be fixed !!

    Thx&Rgds,
    M.

    Wednesday, November 29, 2017 8:14 PM
  • Hi INFSC,

    many thanks for that "unsupported" fix. It also works with Exchange 2016 CU8 (V15.1.1415.2). I only changed "./logoff.owa" to "./auth/signout.aspx". This works perfectly with our WAF (Sophos UTM V9.5).

    $(document).ready(function(){ $('._ho2_2').click(function () { $('body > div:last-child ._abs_c div[role=menu] > div > div:last-child > button').on('click', function () { window.location.href= './auth/signout.aspx'}) })  });

    I've also tested the behaviour with Chrome, Firefox and IE on Windows -> works as exspected.
    Only on Android 7 with Chrome 64.0.3282.137 (Huawei P9 lite) it doesn't work - don't know why :-(.

    Update:
    I also tested Safari -> same problem. As I traced the connection through my WAF, I recognized, that the script "microsoft.owa.core.models.js" will not be used (loaded) on mobile devices. So this fix will not work. But which script will be used for mobile devices instead?

    Anyone any idea?

    BR,
    Florian


    • Edited by FBrandl Saturday, March 3, 2018 9:39 AM Update1
    Saturday, March 3, 2018 9:02 AM
  • Thanks INFSC and FBrandl, worked a treat for us on 2016 CU8.

    For anyone using a Netscaler and AAA .... I used "./auth/signout.aspx" in the js file but in the logout traffic Policy syntax  I had to use logoff.owa to be succesful, e.g. HTTP.REQ.URL.CONTAINS("logoff.owa")

    Aengus



    • Edited by AengusM Friday, April 27, 2018 2:00 AM
    Thursday, April 26, 2018 10:00 PM
  • Hi Guys,

    still works with CU11. I just implemented and testet it.

    BR
    Florian 

    Saturday, November 24, 2018 10:23 AM
  • The Bug still exists and the inofficial manual bugfix with microsoft.owa.core.models.js mentioned in this thread still works with Exchange 2016 CU12.

    This is a serious "broken Session Management" bug (OWASP TOP 10 2017 A2). How can it be it hasn't been fixed for over 3 years now !? It seems to be quite easy to fix.

    Thursday, March 28, 2019 6:03 AM
  • Just confirming. FIX Still working on Exchange 2016 CU12 (1713.5)
    • Edited by Patzl Wednesday, July 17, 2019 2:30 PM
    Wednesday, July 17, 2019 2:29 PM