Jump to content
Welcome to our new Citrix community!

Exchange OWA Logout with AAA


Gregor Blaj

Recommended Posts

Hi,

 

I've set up a Netscaler to authenticate users and allow SSO directly into Exchange (2010), which is all working correctly using content switching and a non-addressable authentication server.

 

The issue comes when a user logs off OWA. On log off, the browser goes back to the Netscaler logon screen (which is fine) but then when the next user (or the same user) logs in, the Exchange 2010 'You have successfully singed out of Outlook Web App...' message is displayed (see attached). This does not happen if I close the browser/tab before logging in again.

 

I have tried invalidating NSC cookies (https://www.citrix.com/blogs/2011/11/11/ensuring-secure-logout-for-your-application/) but that hasn't worked. Actually, even if I manually delete all the cookies from the browser (but not close the tab) the next logon doesn't process correctly.

 

If I unbind the logoff traffic policy, then the OWA message is displayed (rather than the Netscaler logon screen) but in that case the Netscaler session isn't closed so I can just click 'back' in the browser and access the mailbox again.

 

What would be the best way of resolving this? Could I somehow use the logoff traffic policy/profile to redirect the session to a Netscaler logoff page (if such a thing exists)?

 

Cheers for any help.

owa logout screen.JPG

logout policy.JPG

logout profile.JPG

Link to comment
Share on other sites

7 minutes ago, Rick Roetenberg said:

It might be the default behavior, because when you logoff and login again it will direct back to the last page before login in.

 

So If you logoff in OWA and browsing again in the current tab to the webmail URL again, will you see the inbox or the logoff page again?


 

 

Hi Rick,

 

If I log off and then log on again (without closing the browser/tab), I will see the log off page again.

 

1. Bob logs onto OWA (via AAA).

2. Bob logs off (AAA logon page displayed again).

3. Bob logs on > sees OWA log off message.

or

3. James logs on > sees OWA log off message.

 

So regardless of which user logs on next, the OWA log off page is displayed.

Link to comment
Share on other sites

22 hours ago, Sam Jacobs said:

Try redirecting to https://<FQDN>/vpn/logout.html

 

I tried adding a logout policy as per the screenshots. If I attach this to the LB VS, I get a 404 error on logout with the URL 'https://.../owa/auth/logoff.aspx?Cmd=logoff&src=exch'. Policy hits are as below during a logout, lines 1 and 4 being the policy I just added.

 

pcp_hits rewrite(repol_owa_logout)
pcp_hits cspolicy(cspol_exchange_owa)
pcp_hits tmtraffic(traffic_pol_exchange_owa_logout)
pcb_hits rewBinding_0_21_lbvip_exchange_http_owa_120(repol_owa_logout)
pcb_hits cs_pol(cspol_exchange_owa)(csvip_exchange_https)

 

logout-action.JPG

logout-policy.JPG

Link to comment
Share on other sites

2 hours ago, Sam Jacobs said:

When you get the 404, do you see the redirected URL come up in the browser?

You can also try using "/cgi/logout" (no .html) instead.

 

No, I don't see the redirected URL (screenshot showing what happens when I click logout below). The same thing happens whichever logout path I enter in the action.

Capture.JPG

Link to comment
Share on other sites

Hmmm ... looks like it's working *too* well ... it seems that the redirect is invalidating the NetScaler authentication cookie so quickly, that when the logoff.aspx page tries to load, it can't (because the user can't reach that page once the NS cookie has been invalidated).

 

If you logout from OWA when NOT going through the NetScaler, do you get the same files displayed as above?

Link to comment
Share on other sites

On 10/8/2018 at 4:26 PM, Sam Jacobs said:

It looks like logoff.aspx is called twice ... first as a redirect, and then a plain GET. I wonder if one can add an HTTP return code to the policy, so that the redirect to"/vpn/logout.html" only happens the second time it's called ... ??

 

Ok, that could work and makes sense to me. I had a play with HTTP.RES.STATUS or HTTP.RES.IS_REDIRECT but not sure how to add those into the policy expression? 

 

Rick, could you please explain what the responder policy/action do exactly?

Link to comment
Share on other sites

  • 2 months later...
  • 2 months later...
On 1/9/2019 at 1:36 AM, Onno Kuipers said:

Warnox,

 

I have got exactly the same problem. Did you ever solve this problem? How did you solve it?

 

 

 I don't think I actually did solve this issue as the project went a different way. You could try Rick's suggestion, which I never tested. If you come across a solution, i would be interested to know what solves it.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...