Exchange 2010 SP2 RU1 and CAS-to-CAS Proxy Incompatibility

Update 04/23/12: we have updated this blog post to indicate that fixes for this issue have been released. Please see below table or our announcements for release of Exchange 2010 SP2 RU2 and Exchange 2007 SP3 RU7

We wanted to give you a heads up regarding a change in CAS to CAS proxy behavior between servers running Exchange 2010 SP2 RU1 and servers running older versions of Exchange.

The SP2 RU1 package introduced a change to the user context cookie which is used in CAS-to-CAS proxying. An unfortunate side-effect is a temporary incompatibility between SP2 RU1 servers and servers running earlier versions of Exchange. The change is such that earlier versions of Exchange do not understand the newer cookie used by the SP2 RU1 server. As a result, proxying from SP2 RU1 to an earlier version of Exchange will fail with the following error:

Invalid user context cookie found in proxy response

The server might show exceptions in the event log, such as the following:

Event ID: 4999
Log Name: Application
Source: MSExchange Common
Task Category: General
Level: Error
Description: Watson report about to be sent for process id: 744, with parameters: E12, c-RTL-AMD64, 14.02.0283.003, OWA, M.E.Clients.Owa, M.E.C.O.C.ProxyUtilities.UpdateProxyUserContextIdFromResponse, M.E.C.O.Core.OwaAsyncOperationException, 413, 14.02.0283.003.

Not all customers are affected by this. But since we received a few questions about this, we wanted to let you know about the change. Many Exchange customers do not use proxying between Exchange 2010 and Exchange 2007 but rather use redirection, which is not affected by the change. However, if you are using CAS-to-CAS proxying, where an Exchange 2010 SP2 RU1 Client Access server is proxying to an earlier version of Exchange 2010 or Exchange 2007 Client Access server, then you are affected by the change.

If you are affected after application of Exchange 2010 SP2 RU1, please see the below table for the solution to this problem.

Server proxy version Server being proxied to Action to take (updated!)
Exchange 2010 SP2 RU1 Any version of Exchange 2010 older than SP2 RU1 Apply Exchange 2010 SP2 RU2, as announced here.
Exchange 2010 SP2 RU1 Exchange 2007 Apply Exchange 2007 SP3 RU7, as announced here.

The Exchange Team

Comments (18)
  1. qwerty says:

    Where can I download the E2007 IU ?

  2. @Qwerty – please call into support to obtain.

  3. Raveendran Chinnasamy says:

    Thanks for the update  .  Why exchange Product team QA  didnt test   properly  for all scenarios ?

  4. Bharat Suneja [MSFT] says:

    @qwerty: In general, interim updates are only available by calling support.

    We'll announce when this IU for Exchange 2007 is avaialble. The post has been updated.

  5. Charles Derber says:

    Any reason for the changes on CAS-CAS proxy @2010 SP2 RU1…?

  6. Andrei Kondrashov says:

    Am I right that OWA CAS-to-CAS proxying was always possible only if SP and RU levels are exactly the same on the proxying CAS and on the CAS to which it is proxying? And if yes, then what is the meaning of this article?  Maybe this SP2 RU1 feature will break proxying for ActiveSync (which works when SP and RU levels are different as opposed to OWA proxying)?

  7. Karsten says:

    Just to make shure – a combination of Webmail of Exchange 2010 and 2003 is not affected?

  8. Andrei Kondrashov says:

    @Karsten: 2010 is not capable of proxying OWA to 2003. It always redirects.

  9. Greg Taylor [msft] says:

    @ Andrey – CAS is normally able to proxy to older versioned CAS accross AD sites. So SP1 can proxy to RTM for example. However withthis change we have moved the lowest version we will proxy to, to equal the version installed on the calling CAS. So now it's SP2 RU1 > SP2 RU1 minimum. With the next RU2 that should not change (though as with all these things, we may need to for some reason), so then SP2 RU2 > SP2 RU1 should work ok.

    And this change only affected OWA. So no impact to ActiveSync.

  10. SR says:

    So with RU2 I see that RU2-RU1 proxying will work. But will proxying from Exch 2010 SP2 RU2 to Exchange 2007 (or versions below Exch 2010 SP1 RU1) also work?

    We plan to use CAS-CAS proxying between Exch 2010 and Exch 2007 until we migrate off of Exch 2007.

    So we would like to know if we HAVE to plan for the IU on Exch 2007 or whether RU2 will restore this backward compatibility in proxying. Thanks in advance.

  11. Greg Taylor [msft] says:

    SR – you will need the fix for 2007 once it is available. 2010 SP2 RU1 and onwards will require SP2 RU1 as a minimum on 2010 servers and the 2007 update for 2007 CAS.

    If you want to remove RU1 until you have the 2007 patch that will get everything back working again.

  12. Andrei Kondrashov says:

    @ Greg Taylor [msft]: Regarding "CAS is normally able to proxy to older versioned CAS across AD sites. So SP1 can proxy to RTM for example". For example, just tried to proxy from SP2 (w/o RU1) to SP1 (no RUs). The result in OWA: "Outlook Web App isn't available. If the problem continues, please contact your helpdesk."

    And the event is in the App log. So what should I test next to prove either your or my opinion? :)

    Log Name:      Application

    Source:        MSExchange OWA

    Date:          2/20/2012 4:46:19 PM

    Event ID:      136

    Task Category: Proxy

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      EXCAS1.qwerty. qwerty


    The sign-in to Outlook Web App failed. User /o= qwerty /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user4 has a mailbox on server version. However, no Client Access server or front-end server with a matching version was found to handle the request.

    For users on Exchange 2007 and above, you can configure the Outlook Web Access URL for redirection using the externalURL parameter on the Exchange /owa virtual directory.

  13. Andrei Kondrashov says:

    OK, I’ve finally got it. While testing e2010 SP2RU0 to e2010 SP1RU6 OWA proxying scenario, and getting the same error about the proxying failure, I noticed the additional event in the Application log (see at the end of the post) which tells us that we need to copy OWA folder with the older OWA code to the proxying server. That was something new for me. And after that the proxying issue to an older OWA version was resolved. But this technic does not work for SP2RU1 and while trying to proxy I’m getting the error explained in this Exchange Team’s blog post.

    = = =

    Log Name:      Application

    Source:        MSExchange OWA

    Date:          2/21/2012 7:28:59 AM

    Event ID:      46

    Task Category: Proxy

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      EXCAS1.qwerty.qwerty


    Client Access server "https://excas1/owa&quot;, running Exchange version "",  is proxying Outlook Web App traffic to Client Access server "exhcm.qwerty.qwerty", which runs Exchange version "14.1.355.2". To ensure reliable interoperability, the proxying Client Access server needs to be running a newer version of Exchange than the Client Access server it is proxying to. If the proxying Client Access server is running a newer version of Exchange than the Client Access server it is proxying to, the proxying Client Access server needs to have an Outlook Web App resource folder (for example, "<Exchange Server installation path>)ClientAccessowa8.0.498.0" that contains all the same versioned resource files as the Client Access server it is proxying to. If you will be running Outlook Web App proxying with mismatched server versions, you can manually copy this resource folder to the proxying Client Access server. After you copy this resource folder to the proxying Client Access server, you need to restart IIS before proxying will work.

  14. Greg Taylor [msft] says:

    That's right. That copying of files was (sometimes) needed in the past, and you are right, it won't work for RU1. Sorry.

  15. Eesi says:

    support told us that the interim will be finished in 3+ weeks, that generates a lot of trouble for us.

  16. Garry Trinder says:

    Difficult to understand. How can you a) change a cookie without any testing? And b) how can it take 4-5 weeks to fix it?

    Currently most Exchange updates are breaking more than they're fixing…

  17. 02dag says:

    Is there any updates regarding the fix? Is uninstalling RU1 really a wise thing to do?

  18. Robert Howell says:

    Our preference is to not do anything on our Exchange 2007 servers as they will be retired as soon as we move all mailboxes to Exchange 2010.  It is not clear to me from the table if we need to apply 2010 SP2 RU2 -AND- 2007 SP3 RU7 or if we only need to apply 2010 SP2 RU2.   Will you clarify?

Comments are closed.