We just added a Network Load Balancing (NLB) device to our two Exchange Server 2003 front-end machines. We have forms-based authentication enabled. The problem is that after 5 minutes of inactivity, users are forced back to the Outlook Web Access (OWA) logon page. How can I stop this from happening?
NLB devices can affiliate a client with a particular server in several ways, one of which is by dynamically redirecting sequential requests from a client to the same or different servers. The actual balancing of incoming connections can be triggered by the number of requests, the amount of bandwidth consumed, or the elapsed time. From your description of the problem, my guess is that your NLB device is redirecting requests from one server to another after the 5-minute NLB timeout period elapses. Because forms-based authentication is enabled, this redirect leads to the following scenario:
- Client A logs on to OWA. The NLB device redirects the logon request to Server 1, which accepts the user's credentials, validates them, and returns an encrypted cookie to Client A.
- Client A makes a second request after the NLB timeout period. Depending on the NLB configuration, this request might go to Server 1 or to Server 2. If the NLB device redirects the client's request to Server 2, the forms-based authentication cookie that Server 1 issued—and which only Server 1 can decrypt—will be invalid, and Server 2 will display the forms-based authentication dialog box.
To fix the problem, configure your NLB device to send all requests from any one client IP address to the same server. (The method you use for doing so will depend on your NLB device.) Requests will still be spread across however many front-end servers that sit behind the NLB device, but once a client makes an initial request, subsequent requests will be directed to the same server. For a list of NLB-related articles, visit the Windows IT Pro Web site at http://www.windowsitpro.com and enter "Network Load Balancing (NLB)" in the Keyword Search box.