Recently, we had a very interesting, long running case in Exchange. This was a case where the symptoms had many Exchange Engineers scratching their heads and trying to figure out what was going on, and where.
Customer originally called in while having issues with OWA and Exchange 2016, with a 2010 Coexist while they transitioned. In this case, the customer had Exchange 2016 on prem, and was using ADFS for auth to OWA. Once they signed into OWA, if they close the browser and attempted to sign in again, it timed out immediately and they were unable to sign back in. However, if you cleared all the cookies and browser history, then you would be able to log in to OWA one time, then the next person would have to clear the cookies before logging in again.
What made it even harder to troubleshoot is that the issue only occurred if we hit a different front end from where the mailbox was and had to proxy to that server.
What we discovered during troubleshooting was that we were seeing two TimeWindow cookies. These cookies, while troubleshooting, one was for the /owa directory, the other was for the / directory. It was resulting in one of the cookies not being cleared in a proxy scenario. We ended up taking a Fiddler trace, as normal browser debugging was not showing us what we needed to see. Based upon that, we were able to take an iDNA, which was showing the customer had a third party add in which was generating the second TimeWindow cookie, and not clearing it.
Ultimately it was an issue with the third party software not handling cookies correctly. Once we uninstalled the customer's third party software, the issue was resolved.