Symptoms
Users in an account forest who install the Microsoft Exchange Server August 2023 security update might not be able to change their expired password by using Outlook on the web in an Exchange deployment in a multi-forest topology (Account-Resource or Resource-Resource).
When users in an account forest try to sign in by using an expired password, they're prompted by the following change password screen.
If the users try to change the password, they continually receive the following error message, even though they enter the correct credentials:
The user name or password you entered isn't correct. Try entering it again.
Resolution
A setting override is introduced to add domains in a comma-separated list. You must mention both the FQDN and short name in the setting override. The setting override is case-insensitive. This additional list of domains is used to reset passwords.
To fix this issue, install the following security update:
Note: Although the issue is fixed in the October 2023 security update, you must set the override even after you install the October 2023 update.
Steps for multi-forest deployment
If Exchange Server is deployed in a multi-forest topology (Account-Resource or Resource-Resource), you must add the user forest to the domain list that was introduced in the Exchange Server October 2023 security update. Follow these steps:
-
Run the following cmdlet in Exchange Management Shell (EMS) on a server that's running Exchange Server in your environment:New-SettingOverride -Name "DomainList" -Component OwaServer -Section DomainSettings -Parameters @("ValidDomainList=contoso.com,contoso") -Reason "Configure list of additional domains" Add the domain name (for example, contoso.com) and the Netbios name (for example, Contoso) to the override.
-
Refresh the VariantConfiguration argument by running the following cmdlet:Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
-
To apply the new settings, restart the World Wide Web Publishing service and the Windows Process Activation Service (WAS). To do this, run the following cmdlet:Restart-Service -Name W3SVC, WAS -Force
Workaround
To work around this issue, users in this deployment can use any of the following alternative methods to change the expired password until a fix is provided by Microsoft:
-
Change the password from a domain-joined computer on which they sign in.
-
Change the password in OWA before the password expires.
-
Ask an administrator or Helpdesk agent to reset their password to a known one, and then change the password after they sign in to Outlook on the web.
Customers who rely solely on Outlook on the web to change an expired password in this scenario should contact Microsoft Support to open a support case.
Note: The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue that is mentioned in the “Symptoms” section affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don’t use multiple forests.