UAG 2010 SP4- Exchange 2013 OWA Sign out not working

Hi Fellows,

I am trying to publish OWA using UAG 2010 SP4.

Problem I am facing is that When I access OWA from outside, I am presented with a login interface (UAG look and feel) and able to login properly but I cannot log-off. It says "To finish signing out, please close all open browser windows".

I need external users to be able to sign-out from OWA. How can I achieve this using UAG 2010 SP4?

Additional information:
There is no authentication on UAG Trunk.

Log-Off Scheme is enabled on UAG Trunk.

OWA Virtual Directories are configured as Windows Integrated internally (no FBA).
OWA Application Authentication is set to "Automatically Reply to Application Specific Authentication Requests"

Regards,

Junaid Ahmed

April 8th, 2014 11:41am

Hi J.A,

You said: "There is no authentication on UAG Trunk" - so if you do not authenticate to UAG, from what do you want to log off?

I think you need to enable the trunk authentication, otherwise, there is no meaning to "logoff" if you never "log in" ;-)

Ophir.

Free Windows Admin Tool Kit Click here and download it now
April 8th, 2014 2:14pm

Well that's the thing, If I don't have an authentication on trunk, why I am presented with a UAG Log-in Look and Feel. I was thinking in a way that if UAG is authenticating (through look and feel) then there must be a way to log off from UAG also when a user is located outside.

The authentication on UAG Trunk was disabled by Microsoft PFE for a support case to make Outlook work externally. we couldnt make Outlook anywhere work outside the organization with any combination of authentication on Exchange Server (Set-OutlookAnywhere). So opened a case with MS and got it resolved by disabling the authentication on UAG Trunk.

By the way, UAG Look and feel for OWA is not a big issue for us, its the inability to logoff while sitting outside.
I hope it all makes sense.
April 10th, 2014 7:22am

Hi J.A,

The reason UAG is asking for the credentials is because you enabled SSO with the OWA ("Automatically Reply to Application Specific Authentication Requests"). In order for UAG to do the SSO, it need the user credentials (as SSO mean the UAG authenticate to the OWA and not the user). Since UAG set to not require authentication at trunk level, it use the "On-The-Fly" authentication and ask the users for her credentials, and this is the page you see.

Here is what you can try:

After the user logon, instead of use the OWA "Logoff", just change the URL in the browser to the following URL:

https://YOUROWAADDRESS/InternalSite/LogOffMsg.ASP

If you do that - do you see UAG logoff ? If so - it is just matter of small customization to point the exchange logoff to be that page (/InternalSite/LogOfMsg.asp). This is usually done by the AppWrap mechanism and it is strange it was not done in your system...

(Are you using the default English OWA interface? If not - can you try with the English interface and see if it still not work?)

Hope this helps...

Ophir.

Free Windows Admin Tool Kit Click here and download it now
April 10th, 2014 8:02am

Dear Ophir,

Sorry for being late.

Thank you very much for your time and help. I have removed the check "Automatically Reply to Application Specific Authentication Requests" from OWA application on UAG and now its presenting me with the OWA 2013 look and feel.

Regarding the Logoff I am still getting the same message of closing the browser.
I tried the URL https://YOUROWAADDRESS/InternalSite/LogOffMsg.ASP, it presented me with UAG Look and Feel page saying "You have attempted to access a restricted URL. The URL contains an invalid path. Navigate back and follow another link, or type in a different URL."

Is it the expected UAG page you mentioned above? If so, shall I proceed for the customization? Can you please elaborate what customizations to be done?
If not so? how to get over it.

On UAG Trunk, the logoff URL is /InternalSite/LogOffMsg.asp and LogOff Message is /InternalSite/OWA/LogOfMsg.asp

Regards.

April 12th, 2014 4:07pm

Hi J.A,

If you are no longer use the "Automatically Reply to Application Specific Authentication Requests" option, and your trunk is set without authentication,  the UAG is not doing any authentication anymore, therefore no need to implement logoff from the UAG level.

The message of closing the browser is the default exchange logoff screen (you can see it also if you access OWA internally, without UAG).

Ophir.

Free Windows Admin Tool Kit Click here and download it now
April 13th, 2014 5:40am

This behavior is occurring because you have your OWA virtual directories set to Windows Integrated Authentication.

From your Exchange Admin Center, go to Servers - Virtual directories (Pick your server if you have multiple ones).

Edit the OWA (Default Web site) - Authentication

Uncheck "Use one or more standard Authentication" and Check "Use Forms Based Authentication" (Pick which option in FBA)

Save and you will need to do the same for the ECP Virtual directory (Actually it will display message with this)

Reset/Restart IIS and it should work and you should log off normally

However the SSO of the UAG portal will be lost as you will be asked twice for authentication, once in the UAG portal and the other one when you open the OWA.

Hope this will clarify the issue.

Regards,

A.Nabil

December 30th, 2014 4:35pm

This behavior is occurring because you have your OWA virtual directories set to Windows Integrated Authentication.

From your Exchange Admin Center, go to Servers - Virtual directories (Pick your server if you have multiple ones).

Edit the OWA (Default Web site) - Authentication

Uncheck "Use one or more standard Authentication" and Check "Use Forms Based Authentication" (Pick which option in FBA)

Save and you will need to do the same for the ECP Virtual directory (Actually it will display message with this)

Reset/Restart IIS and it should work and you should log off normally

However the SSO of the UAG portal will be lost as you will be asked twice for authentication, once in the UAG portal and the other one when you open the OWA.

Hope this will clarify the issue.

Regards,

A.Nabil

Free Windows Admin Tool Kit Click here and download it now
December 30th, 2014 4:35pm

This behavior is occurring because you have your OWA virtual directories set to Windows Integrated Authentication.

From your Exchange Admin Center, go to Servers - Virtual directories (Pick your server if you have multiple ones).

Edit the OWA (Default Web site) - Authentication

Uncheck "Use one or more standard Authentication" and Check "Use Forms Based Authentication" (Pick which option in FBA)

Save and you will need to do the same for the ECP Virtual directory (Actually it will display message with this)

Reset/Restart IIS and it should work and you should log off normally

However the SSO of the UAG portal will be lost as you will be asked twice for authentication, once in the UAG portal and the other one when you open the OWA.

Hope this will clarify the issue.

Regards,

A.Nabil

December 30th, 2014 4:35pm

Hi:

Having the same issue with OWA 2013 through UAG.  When using Basic/NTLM on the Exchange CAS IIS, the sign out does not work and displays the message "To finish signing out, please close all open browser windows". Did you ever sort this out?

Free Windows Admin Tool Kit Click here and download it now
May 7th, 2015 12:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics