OWA published through WAP with ADFS pre-authentication doesn‘t redirect to ADFS login after the ADFS SSO token expires

Applies to: Exchange Server 2016 Enterprise EditionExchange Server 2013 Standard EditionExchange Server 2013 Enterprise

Symptoms


In a Microsoft Exchange Server 2013 or Exchange Server 2016 environment, you publish Outlook Web App (OWA) through Web Application Proxy (WAP) and enable Active Directory Federation Service (ADFS) pre-authentication. When you log on to OWA but take no actions after a certain time, you experience these symptoms:

  • You do not receive any new email or notifications, unless you manually refresh the webpage.
  • When you click on the navigation menu or any buttons in OWA, you will receive connectivity error messages like “Your request can't be completed right now. Please try again later.”

Cause


This issue occurs because the Single Sign-On (SSO) authentication token from ADFS (which is managed by ADFS's SsoLifetime attribute) has expired. WAP returns a HTTP 307 response to OWA to redirect the user to ADFS for re-authentication, but OWA doesn't process this response, and the user remains unauthenticated.

Workaround


This is a known issue and will be fixed in a future release. To work around this issue, publish OWA through WAP by using pass-through authentication instead of ADFS pre-authentication.