Finally; OWA Form Based Authentication Logoff Changes In Exchange 2013 Cumulative Update 9 and up

Update 09-06-2017: This does not work anymore for both Exchange CU10 and Exchange 2016 CU4 and up, see my other blog article for the details
Update 01-03-2016: This also applies to Exchange 2016 CU 3!
 

 
NOTE: This article does not apply anymore for both Exchange 2013 CU10 and Exchange 2016 CU4 and up. Microsoft decided to roll back the feature that was introduced in Exchange 2013 CU9 and Exchange CU 3. Please see my other blog article explaining the details why and how to resolve it.
 



We know that Exchange 2013 has a known limitation in its logoff string for Outlook Web App (Webmail).
When you try to logoff, you would tell the client to send  '/owa/logoff.owa' request, but the client wouldn't log off unless you closed the client manually.

 

Microsoft announced recently to change this. Effective from CU9 and up, it will be possible to use this log off string: "/owa/auth/signout.aspx".
Remember; this is only effective after CU9 and up. Before CU9 this is not available to use.

 

When you configured (Edge Security Pack) ESP on your Loadmaster using template or manually, only the OWA SubVS needs to be configured for the "/owa/auth/signout.aspx" 
Exchange Control Panel (ECP) uses the same string but, by virtue of content switching, the request is sent to the OWA SubVS. For this reason, there is no need to configure this logoff string on an ECP SubVS.

 

For a complete article; open the link above.

 

When using OWA, and when you click on sign out:

  1. The client initiates logoff with the request to “/owa/logoff.owa”

  2. Client then gets a 302 redirect to “/owa/auth/logon.aspx”

And you’re back at the logon page.

 

After the change you will get this:

When using OWA, and when you click on sign out:

  1. Client initiates logoff with the request to “/owa/logoff.owa”

  2. The server sends to client a 302 redirect to the landing page “/owa/auth/signout.aspx”

 

 

Steps needed to be done if you are running all roles on 1 machine:

  • Search for 3 web.config files on these locations

    • %ExchangeInstallPath%\FrontEnd\HttpProxy\OWA\web.config

    • %ExchangeInstallPath%\ClientAccess\OWA\web.config

    • %ExchangeInstallPath%\ClientAccess\ECP\web.config

 

Search for this string:

 
<add key="LogonSettings.SignOutKind" value="LegacyLogOff" />
 

And replace it for:

 
<!-- add key="LogonSettings.SignOutKind" value="LegacyLogOff" /-->
 

After this; recycle the MSExchangeOWAAppPool in Internet Information Services on the server (IIS Management)

 

And don’t forget, the next Cumulative Update will reset this manual modification, so be prepared to do it again if you must after CU10 releases.
Ideally though, if the reason you are doing this is to allow some third party app to work, that app should be updated to live with the new behavior.

 

I recently installed CU10 and i can confirm that need redo these steps after the installation of CU10

 

Thanks for reading and cheers!
David