XWEB: Mailbox Access via OWA Depends on IIS Token Cache

This article was previously published under Q173658
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about editing the registry.Before you edit the registry, make sure you understand how to restore it ifa problem occurs. For information about how to do this, view the "Restoringthe Registry" Help topic in Regedit.exe or the "Restoring aRegistry Key" Help topic in Regedt32.exe.
After you remove the Log on Locally right for a user on a computer runningMicrosoft Internet Information Server (IIS), the user may still be able tolog on to his or her Microsoft Exchange Server mailbox via MicrosoftOutlook Web Access. This behavior is temporary and depends on the length oftime that user tokens are cached on the server.
For performance reasons, user tokens are cached by IIS and updated at 15-minute intervals. The first time a user logs on via a Web browser, theuser's user token is created. If the Log on Locally right is subsequentlyrevoked, the user can still access the mailbox for approximately 15minutes.
To work around this problem, do one of the following:

  • Restart all the IIS services (Gopher, FTP, and WWW). This will refresh the token cache on the IIS computer. For performance reasons, this is the preferred method if updates are infrequent.-or-

  • Change the default interval for the token cache by editing the Microsoft Windows NT registry.
WARNING: Using Registry Editor incorrectly can cause serious problems thatmay require you to reinstall your operating system. Microsoft cannotguarantee that problems resulting from the incorrect use of Registry Editorcan be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys AndValues" Help topic in Registry Editor (Regedit.exe) or the "Add and DeleteInformation in the Registry" and "Edit Registry Data" Help topics inRegedt32.exe. Note that you should back up the registry before you edit it.

  1. Start Registry Editor (Regedt32.exe).
  2. From the HKEY_LOCAL_MACHINE subtree, go to the following subkey:
  3. Select Edit.
  4. Click Add Value, and add the following:
    Value Name: UserTokenTTL
    Data Type: REG_DWORD
    Data: (Number of seconds for token to be cached - 30 second min)
  5. Stop and restart all three IIS services (WWW, FTP, and Gopher).
For information about changing the UserTokenTTL value, refer to thefollowing article in the Microsoft Knowledge Base:
152526 Changing the Default Interval for User Tokens in IIS

Article ID: 173658 - Last Review: 12/04/2015 17:49:12 - Revision: 4.0

Microsoft Exchange Server 5.5 Standard Edition

  • kbnosurvey kbarchive kbusage KB173658