Article ID: 267568 - Last Review: December 3, 2007 - Revision: 4.5

Old password still works after you change it through Outlook Web Access

View products that this article applies to.
This article was previously published under Q267568
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows Registry
Expand all | Collapse all

SUMMARY

If a user changes his or her password in Microsoft Exchange 2000 Outlook Web Access (OWA), you may notice a 15-minute period where the user can log on to his or her mailbox with either the old password or the new password. However, if the user uses a MAPI client (such as Microsoft Outlook) to access the mailbox or if the user attempts to access other files and resources, the user is only authenticated if he or she uses the new password.

MORE INFORMATION

This latency exists by design for Internet Information Server (IIS) performance reasons, and is controlled by the following registry setting.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Start Registry Editor (Regedt32.exe) on the IIS server that the user gains access to OWA through.
  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters
  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value Name: UserTokenTTL (NOTE: This is case sensitive!)
    Data Type: REG_DWORD
    Value Range: 0 - 0x7FFFFFFF (NOTE: This unit is in seconds.)
  4. Quit Registry Editor. This change takes effect without restarting the computer or any services.
When a request is made to the server using Basic Authentication, the security credentials for the request are used to create a user token on the server. The server impersonates this user token when accessing files or other system resources (see also CacheSecurityDescriptor in IIS Help). The token is cached so that the Windows logon takes place only the first time the user accesses the system or after the user's token has been removed from the cache. Integrated Windows authentication tokens are not cached.

For IIS performance reasons, the default setting is 15 minutes. Be sure to weigh carefully the security implications versus the performance implications. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152526  (http://support.microsoft.com/kb/152526/ ) Changing the default interval for user tokens in IIS
Note If a user is still logged on when this registry key is set, that user's current Time To Live (TTL) token for that password remains the same as it was before the registry key was modified. The user is not affected until he or she closes all instances of the browser, logs on again, and changes the password again. That new password will have the TTL of the registry key specified.
APPLIES TO
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 6.0
Back to the top
Keywords: 
kbhowto KB267568
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations