[solved] OWA/ECP login loop on Exchange 2010/13/16

On Exchange server, configuring virtual directory might be pain sometime. A simple misconfiguration of Virtual directory might be the worst nightmare and create login loop, because I had this few days back. While configuring additional CAS server  after few changes done on the Virtual directory, my OWA/ECP page start to go on loop whenever I tried to get login. I was on dark what mistake I had made. So, I tried to list down what might the issue that is causing on looping of my OWA/ECP page. While listing down, I have found two things.

  1. SSL Certificate.
  2. Issue with configuration of Virtual Directory.

SSL Certificate can also be the reason behind this kind of issue. So, you need to make sure you do have correct SSL assigned with IMAP, POP, IIS and SMTP. Also 2nd thing is that SSL certificate is across all of your Exchange server. If the issue is with SSL Certificate, you are lucky and can be resolve easily. But with virtual directory it is not so.

On my Earlier Blog, you can find how to configure Virtual Directory. But as going on, I came for the conclusion with that might not be enough if OWA/ECP login loop issue arises. Hence, here I have made an Table with the specific configuration required while configuring the OWA/ECP Virtual Directory.

On the IIS Manager expand to the default web site and check if the configuration you have made are as of the below Table are not.

Table: Chart of Virtual Directory configuration.

Virtual directory

Default IIS Authentication methods

SSL settings

Default authentication methods
Exchange Admin Center (EAC)

HTTP Redirect

Authentication Methods
Exchange Management
Shell (EMS)

Sites \ Default Web Site

• Anonymous authentication

• Not Required

 Available through EAC

YES

 Internal

 External

aspnet_client • Anonymous authentication • SSL required

NO

Autodiscover • Anonymous authentication
• Basic authentication
• Windows authentication
 • SSL required • Integrated Windows authentication
• Basic authentication

No

Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth
ECP

(Exchange Control

Panel)

• Anonymous authentication
• Basic authentication
 • SSL required • Use-forms-based authentication

No

 Basic, Fba  Fba
EWS

(Exchange

Web Services)

• Anonymous authentication
• Basic authentication
 • SSL required • Integrated Windows authentication

No

Ntlm, WindowsIntegrated, WSSecurity, OAuth Ntlm, WindowsIntegrated, WSSecurity, OAuth
Mapi  • Windows authentication  • SSL required  Not available in EAC

No

Ntlm, OAuth, Negotiate Not configured
Microsoft-Server-Active-Sync • Basic authentication  • SSL required • Basic authentication
• Ignore client certificate

No

Not set *
All methods can be used.
Not set *
All methods can be used.
OAB
(Offline
Address Book)
• Windows authentication None available

No

WindowsIntegrated, OAuth WindowsIntegrated, OAuth
OWA (Outlook Web App) • Basic authentication • SSL required  • Use-forms-based authentication
• Domain\user name

No

 Basic, Fba  Basic, Fba
OWA\Calendar • Anonymous authentication • Ignore client certificates None available

No

OWA\Integrated • Windows authentication • SSL required
• Ignore client certificates
None available

No

OWA\oma (Outlook
Mobile
Access)
• Basic authentication • Ignore client certificates None available

No

PowerShell • Windows authentication • Not Required  None set

No

 {}  {}
Rpc
• Basic authentication
• Windows authentication
• SSL required

No

Similarly, only configuration of Default website is not going to solve this issue. Hence you need more Knowledge on configuration of Exchange Back End site too, else you will keep on going loop. Below is the detail configuration you can have on Exchange Back End.

Table: Exchange Back End Virtual Directory Configuration.

Virtual directory IIS Default Authentication methods IIS SSL settings HTTP Redirect
Exchange Back End • Not Required Yes
Autodiscover • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
No
 ecp • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
No
 EWS • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
No
 Exchange* • SSL required
• Ignore client certificates
No
 Exchweb* • SSL required
• Ignore client certificates
No
 mapi* • Anonymous authentication • SSL required
• Ignore client certificates
No
 Microsoft-Server-ActiveSync • Basic authentication • SSL required
• Ignore client certificates
No
 OAB • Windows authentication • SSL required
• Ignore client certificates
No
owa • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
No
owa\Calender • Anonymous authentication • Ignore client certificates No
 PowerShell • Windows authentication  • SSL required
• Accept client certificates
No
Public* • SSL required
• Ignore client certificates
No
 PushNotifications • Anonymous authentication
• Windows authentication
• SSL required
• Ignore client certificates
No
 Rpc • Windows authentication • Ignore client certificates No
 RpcWithCert • Windows authentication • Ignore client certificates No

I hope this will help you solving the Exchange OWA/ECP login loop issue. 🙂

One Comment

Add a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.