Secure samesite cookies for Exchange 2016


I recently upgraded to exchange 2016 CU17 (from CU10), and ever since then i get a login loop on my owa and ecp pages only when using a chrome browser. Further inspection shows that the samesite cookie is set to "none", but in order for it to work as "none", it also has to be set as secure.

I tried performing the steps in the content rules documentation, section 6.6 ( I setup this content rule and then placed it within the /ecp subvs for testing. I tried it in both the Request rules and Response Rule section, but I'm still left with a login loop in chrome. 

I am running the LM2400 in front of the exchange server and it is performing the SSL offlload.

Any tips would be greatly appreciated.

1 comment

Nick Smylie

Hi @dan.benson

Typically any 'login loops' we encounter with Exchange is due to certificate mismatches between the LM and one or more of the Exchange servers.  They ALL need to have the same cert on there.

As a test could you try setting persistence for OWA and ECP inside of the those SubVSs?  Source IP or active cookie should work just fine.

If that gives you better results I would double check all certs between all devices.  Make sure the fingerprint/SN matches up between them all.  If this does fix the issue, I do not recommend leaving persistence on for Exchange.  It is not recommend nor needed.  This is merely a test.

For your original question though about the content rule; that will have to go under the response rules since the 'set-cookie' header is a response header.  A good way to check if that rule is working is to check out dev tools by pressing F12 and then going to the network tab and then finding the 'set-cookie' header in one of those requests.

However though as stated above I do not believe the cookie is the issue.  As a start, set persistence and then see if we get better results.  We can go from there.