An old password still works after you change it in Outlook on the Web
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Assume that a user changes their password in Outlook on the Web (formally known as Outlook Web App or Outlook Web Access) in one of the following versions of Microsoft Exchange Server:
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2010
- Microsoft Exchange Server 2007
- Microsoft Exchange Server 2003
- Microsoft Exchange 2000 Server
This latency exists by design for Internet Information Services (IIS) performance reasons and is controlled by the following registry setting.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
- Start Registry Editor (Regedt32.exe) on the server that is running IIS and through which the user gains access to Outlook on the Web.
- Locate the following key in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters
- On the Edit menu, click Add Value, and then add the following registry value:Value Name: UserTokenTTL (Note This is case-sensitive!)
Data Type: REG_DWORD
Value Range: 0 - 0x7FFFFFFF (Note This unit is in seconds.)
- Exit Registry Editor, and then restart IIS.
For IIS performance reasons, the default setting is 15 minutes. Make sure that you weigh carefully the security implications versus the performance implications. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
152526 Changing the default interval for user tokens in IISNote If a user is still logged on when this registry key is set, that user's current Time to Live (TTL) token for that password remains the same as it was before the registry key was modified. The user is not affected until they close all instances of the browser, log on again, and change the password again. That new password will have the TTL of the registry key that was specified.
x2kclnprotht security XWEB
Article ID: 267568 - Last Review: 10/01/2015 07:24:00 - Revision: 7.0
Microsoft Exchange 2000 Server Standard Edition, Microsoft Exchange Server 2003 Standard Edition, Microsoft Exchange Server 2003 Enterprise Edition, Microsoft Exchange Server 2007 Standard Edition, Microsoft Exchange Server 2007 Enterprise Edition, Microsoft Exchange Server 2010 Standard, Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2013 Standard, Microsoft Exchange Server 2013 Enterprise, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Internet Information Services 7.0, Microsoft Internet Information Services 6.0, Microsoft Internet Information Services 5.0
- kbhowto KB267568