Sunday, January 29, 2012

Exchange 2010 SP2 Breaks OWA

The other day we decided it was time to apply SP2 to our Exchange 2010 SP1 environment (in pre-production first of course). After installing it to one CAS server without any issues, it was time to test it to make sure OWA, ECP, etc., was working fine.

We have Hardware Load Balancers in front of our CAS servers and we also do SSL Offloading so to test it we connected directly to the CAS server:
  1. OWA opened fine. We could navigate through all the e-mails in the Inbox folder without any problems;
  2. We noticed that the integration with OCS wasn’t working… After checking all the configurations, everything seemed to be correct;
  3. The ECP was working without any problems;
  4. But whenever we selected a different folder in OWA, we would get the following error message:

After a while, we noticed that by using HTTP://CASserver/OWA we would experience all these problems but if we used HTTPS everything would work fine!

So we checked IIS settings regarding SSL, Certificates, SSL Offloading and the OWA Virtual Directory configuration but everything was as before!...

It was only when we compared the web.config file for OWA that we noticed something different:

SP2 introduces a new key called httpCookies:
<!-- Require all cookies to be sent over SSL only. This config applies only to DataCenter where HTTPS is required (PS: 445778) -->
<httpCookies httpOnlyCookies="false" requireSSL="true" domain="" />

Although in IIS we have the Default WebSite to require SSL but the OWA one to not require SLL, this setting seems to take precedence and so it makes OWA to require SSL. For this reason, we were getting all those problems when using HTTP only...
After changing the requireSSL="true" to false, everything was back to normal!

According to Microsoft, this is a new feature in SP2 to simplify the Outlook Web App URL (in most scenarios).
In the Exchange 2010 SP2 Release Notes there is a mention to this that we missed:
If you’re using redirection for Outlook Web App and aren’t requiring Secure Sockets Layer (SSL), redirection will fail after the Client Access server is upgraded to Exchange 2010 SP2. To avoid this problem, after you’ve completed the upgrade to Exchange 2010 SP2, modify the Outlook Web App web.config file. For directions, go to “Use IIS Manager and Notepad to simplify the Outlook Web App URL when SSL isn’t required” in Simplify the Outlook Web App URL. You don’t have to make any changes in IIS Manager to prevent redirection from failing. You just have to modify the web.config file.

Bottom line: always read everything in the release notes and always test it before implementing any change/rollup/SP in your production environment!


  1. Hi,

    Yes, this requireSSL attribute was missed by several people during migration/updates to SP2. And, it is surely essential to follow release notes and some good blogs like "letsexchange" and "thoughstsofanidleming" to be on safer end. Alternatively, you should consult with professional companies to help you with migration process.


  2. Hi. Thanks for your comment and compliment! You are absolutely right. It was my fault to be honest... I should have read everything on the release notes... Well, it won’t happen again! :) Cheers, Nuno

  3. What is the location of this web.config file?


    1. Hi,

      The default location of the Outlook Web App web.config file is: \Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa.

      Regards, Nuno