Symptoms
Exchange ActiveSync (EAS) devices continue to synchronize after their account has been disabled. Devices also connect using an old password, after the password has been changed.The main issue of concern is that if a user is terminated and just their AD account is disabled, that once their AD account is disabled it’s believed that the user is now stopped from being able to access anything using Windows Authentication, such as Exchange). However, that may not necessarily be true…especially with ActiveSync.
Why Does This Happen?
One of the main reasons is due to the way ActiveSync keeps a connection open to the server to watch for new messages. That connection has already authenticated and has been validated…so while the AD count may be disabled, all Exchange knows is that the user HAD rights to the mailbox and is continuing to use that connection. Eventually, the “life” of that authentication expires and the user has to re-authenticate (which is all done transparent to the user) and if the account was disabled, the re-authentication will fail and the user will no longer be able to sync. ActiveSync devices with their long heartbeat intervals and token cache can still allow access up to 24 hours after an AD account has been disabled.We have two component involved which does the authentication viz F5 APM (Pre-authentication) and IIS authentication.
The main component/feature of IIS involved is User Token Caching in IIS. Default is 15 mins, that means, if connection is made within 15 mins of last connection, the cached token information is reused instead of checking with AD. It will take 8 to 24 hours for IIS to reset token caching.
In F5 APM, expiration time for authenticated session is inactivity timeout which is 15 Minutes by default and maximum session timeout is 7 days by default which will force session to re-authenticate.
However, as DirectPush in ActiveSync maintains an open connection to server, inactivity timeout on F5 never reaches and in IIS, cached token will be re-used.
So even after AD account is disabled, user can still sync the emails until maximum session timeout which is 7 days or when IIS re-authenticates the request (after it resets cached token) which could be around 8 to 24 hours.
Resolution
According to my study, there are two solutions that we can implement to resolve this scenarios.1. Reduce Maximum Session timeout (F5 APM) to a less value like 15 min or 30 mins
2. Reduce token caching in IIS (Not recommended)
Reduce Maximum Session Timeout
We are using APM feature in F5 which pre-authenticates the session before traffic can be sent to Exchange servers.In APM, two timeout settings are available
1. Inactivity Timeout
The Inactivity Timeout setting controls how long a client can keep a live session without sending traffic. Timeout counter is updated after session is updated or client sends traffic before timeout value is reached. Once timeout value is reached, APM will terminate the session.For example, if user sje1 is connected and authenticated at , session’s start time will be current time and session’s expiration time will be timeout value after start time. (In our case, timeout value is selected as 15 mins as default)
The expiration value keeps updating as timeout counter of inactivity timeout keeps updating itself after session is updated with client traffic.
For ActiveSync devices, it keeps connection open with long their heartbeat, resulting inactivity timeout will keep extending every second by 15 mins.
So in nominal scenario, APM session will not be terminated until activeSync device is connected.
2. Maximum Session Timeout
The Maximum Session Timeout setting configures a limit on the maximum amount of time a user’s session is active without needing to reauthenticate. Default value is 7 days.With default value, user’s session can be active maximum upto 7 days. After 7 days, user’s session will be forcefully reauthenticated.
During my testing, I have setup this value to 12 mins. The main difference that this value would be resulting is, it will set expiration time for this session to 12 mins after start time.
After I setup this value to 12 mins, after every 12 mins, APM forcefully reauthenticates all sessions. And if during this time, AD account is disabled or AD account password is changed, at the expiration time, APM will reauthenticates the session. If user account is disabled, APM will deny the request for session and if password is changed, new password needs to be updated on Activesync device.
Although reauthentication process is transparent to all other users, this will put some load on domain controllers.
Reduce token caching time in IIS
In IIS, we can reduce token caching. But this means for every request within that period, IIS will authenticate the session with Domain controllers. This is will put lot of load on Server and Domain controller. This option will impact performance. This option is not recommended by microsoft.
No comments:
Post a Comment