On 28th of September 2015 and 1st of March 2016 I've written a blog post about Microsoft fixing the Logoff function in Outlook Web Access when using a 3rd-party reverse proxy, like for example a KEMP Load balancer or a NetScaler. Even when using a TMG (which is EOL of course).
Everything worked, except after applying Exchange 2016 CU4 and up, I noticed that the Logoff button only showed me "To finish signing out, Please close all open browser windows" and after pressing the OK button… nothing happens.
I even tested the latest CU 5, but still nothing happens.
At first I thought the update had overwritten the config files that had the Legacy Log off enabled in it, but after reviewing and searching the file the syntax was magically disappeared. So from that point, my Google adventure started :)
I ruled out that it had to do with my 3rd party load balancer; I tested both KEMP and NetScaler; same issue observed.
Then I tried it directly, thus bypassing any 3rd party proxies, and same issue observed; this confirmed that it was solely a Microsoft Exchange OWA issue. Then checked with Fiddler and the Dev option enabled in your favourite browser (F12) what happens when I press the Sign Out button; nothing special happens, even the logoff.owa is not called. So the 3rd party load balancer never had the chance to sign you out, because the logoff.owa URI was never called…
Went back to the Exchange Team blog and saw that this was done by design… but it still didn't work, even checking and comparing the settings on the TechNet Blog.
I scoured the internet trying to find a solution; even tried to fiddle in the Legacy Log off string in the Exchange config file, but nothing happened.
Even asked the Exchange Team about the issue I had, and they confirmed that it stills should work, but it didn't.
Then I bumped in to this blog; it exactly explained the issue that I had.
The logoff.owa is only called when you had OWA and ECP configured for Form Based Authentication (FBA) and not basic 401 authentication.
Tested it and it worked again. So this is solved then, right ? Well yes and no.
For my NetScaler it is solved; by not using 401 authentication and setting the Exchange OWA back to FBA with UPN and creating a Form SSO POST action on the NetScaler for Pre-Authentication, signing out worked again using the NetScaler AAA-TM. Check my other post how to do this.
But for my KEMP Sign Out is still broken. The KEMP load balancer Edge Security Pack (ESP) does not have the option to do a Form SSO like the NetScaler can. So when you are using a KEMP load balancer, the Sign Out button does not as expected, because ESP relies on a basic authentication (401) and can't do anything else
Hopefully the Exchange Dev Team will see in and fix this in the future