Environment:
- Two domains exist: Dom1 and Dom2. The users log on to Dom1 when loggin on to Windows, and on to Dom2 for e-mail, so the Exchange server resides on Dom2. There is a DNS forwarder set up so that these domains can communicate.
- Mail Server: Exchange 2010 SP2
- Hub Transport + Mailbox Servers (2): MS1, MS2
- Hub Transport + CAS's (2): CAS1, CAS2
- Outlook Anywhere enabled : outlook.domain.com
- Virtual Directories authentication methods in IIS 7 configured according to MS Best Practice
- Network Load Balancing configured on CAS1,CAS2
- Outlook clients are confgured with outlook.domain.com in their RPC settings, NTLM authentication
- There is no password expiry policy set on AD user objects on Dom 2
- There is a 60 password expirey policy set on AD user objects on Dom 1
Problem:
Intermittently, users are prompted for their credentials when launching the Outlook client, or they are unable to reach OWA. Inside the network, and outside the network. This only affects some users. The types of users affected are normally users using browsers other that IE (OWA), or users that are working remotely offsite outside of the network (Outlook client).
Detailed description:
Outlook Client:
A user is working remotely and is only connected to the internet, not to domain.com's network where the mail server resides. When he launches the Outlook 2010 client, at the bottom right the status says: "Trying to connect". A credentials box pops up requesting the user's username and password. The user types in his credentials, the box disappears for a couple of seconds, then pops up again. The user then tries to enter these credentials on the OWA site, and can log in successfully. The user account is not locked out in AD, and performing a get-logonstatistics in PowerShell shows that the client has had a successful login with OWA, but not with the client.
When the user comes back to the office and plugs into the LAN or Wireless network within the domain, the problem resolves itsself.
OWA:
A user is working on a laptop connected to the LAN inside the domain.com internal network. He uses an alternate operating system and internet browser. When browsing to the Outlook Anywhere or OWA address, the user gets a time out. the result is the same with other non-IE browsers. This issue is also intermittent, and seems to hop from user to user.
Troubleshooting & workarounds:
Outlook client:
-set the user's ad user object to 'password never expires'
-cleared the user's cached credentials for Outlook from User Accounts in Control Panel
or
-user comes into the office and email works fine
OWA:
-perform IIS reset on both CAS's
-clear user's cache in non-IE browser
(this only works for a while, then the browsers start timing out on the OWA site again)
Current status:
I removed CAS2 (recently built, round about the time the problem started) from NLB and removed its Hub Transport Role, which seemed to decrease the non-IE browser OWA issue somewhat. No issues are being reported by end users from remote sites using the Outlook client, quite possibly because they are using OWA in stead until they come back into the office. All users are therefor currently connecting to CAS1 alone, since the other CAS is not available to them anymore.
Question:
I have configured CAS2 exactly the same as CAS1, all settings are alike, and added it to NLB. Why is CAS2 causing a problem?
Is it in fact CAS2 that is causing the problem?
Where do I start troubleshooting the possibility that it is the NLB and not the CAS2 causing the problem?
Hanneliese Fourie