Forum Discussion
mikeshimkus_111
Jul 03, 2014Historic F5 Account
In order to know that you have an existing session, the servers need to be able to decrypt the auth cookie and for that they all need the same cert. Otherwise, they will return you the logon page. It works with a single pool member because that server has the correct cert. From http://theucguy.net/exchange-server-2013-load-balancing/:
"The OWA client hands the cookie to the server with any new requests. In this case, it doesn’t matter if the new request is handled by a different CAS server, as that server is capable of decrypting the cookie with it’s private key, as all CAS servers have the same certificate.
As the authentication cookie is successfully decrypted irrespective of which CAS 2013 server it hits, the user or client is not challenged to authenticate again with an FBA page."