Jump to content
Welcome to our new Citrix community!

Exchange OWA Through NetScaler, Cannot change password. No AAA server

Victor Philipov

Recommended Posts


We have deployed Exchange LB services - OWA,Activesync,ECP..etc- on the NetScaler MPX 12.1.49.

There is no AAA server doing SSO for the exchange services, it is just a Contect switch Vserver going to respective LB servers.

We are having issues with users not being able to change their passwords with OWA.

It throws an error:




It seems when you connect to OWA address: https://ouraddress/owa/#path=/mail , clicking on the Change Password, redirects you to 


Does any kind of redirection policy needs to be configured on the LB OWA server. I have played with the persistence of LB server and changed it to Cookieinsert, but still no joy.

It affects our email only users and they cannot change their passwords.






Link to comment
Share on other sites

Is your content switch failing to direct the /ecp/ change password path to a destination? So, is the issue, that your existing CS policies don't recognize this particular URL pattern and therefore it fails to get directed to a destination? 

As a result, you might need a trace or at least look at request/response headers to see what exact requests are failing and how.  If you are getting any 403 errors because there is not CS policy match, then you could have unhandled content not matching any of your current policies.  

Example, do you have a CS policies that identifies the /ecp content or is this maybe being missed?  Is it actually an error on a dependent object like not handling /cgi content?


Or is it being directed to your exchange servers but some other problem is present?



You also might need to share some of your CS policies and lb vservers that you are using to see if there is an issue with the config.


For reference, see this blog for some examples (there are a few corrections needed, but it illustrates most of the requirements):  https://citrixguyblog.com/2017/07/22/citrix-netscaler-loadbalancing-exchange-20132016-walkthrough-guide/

You might still need a rule to catch paths with /cgi and direct those to the /OWA lb vserver.  It may not be in the original blogs policy list.

Link to comment
Share on other sites

Hi Rhonda,


It is fairly simple configuration with no AAA.  We have content switching policies for the respective exchange virtual directory + one that checks for the domain portion of the url and then the action goes to the OWA LB server, so that users don't have to write "mail.domain.com/OWA" to go the OWA page where the authentication happens.

I have attached the policies.



Link to comment
Share on other sites

So, you might want to add a default cs destination and then see if any traffic is hitting it to identify any unhandled requests.

Double check the persistence requirements are being met for the mapi/rpc, acdtivesync, and autodiscover services.  I *think* issues with mapi/rpc might affect the change password. But if not, hopefully someone else can weigh in.  The blog referenced above should include this lb method/persistence requirements as well.

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...