Previously, new users who are required to change their password at next logon or users whose password has expired cannot log on to OWA. They will get the less than helpful error from the OWA, "The user name or password that you entered is not valid. Try entering it again", as shown below:
Exchange 2007 SP3 introduces a new SSL web page for these users that allows the user to change their password outside of OWA. The page tells the user, "Your password has expired and you must change it prior to signing in to Microsoft Outlook Web Access."
This new functionality is not enabled by default, since some organizations do not allow password changes from outside the internal network. To enable it:
- Logon to the CAS with administrator rights
- Run Regedit and navigate to HLKM\SYSTEM\CurrentControlSet\services\MSExchange OWA
- Create a new DWORD (32-bit) Value called ChangeExpiredPasswordEnabled
- Assign the ChangeExpiredPasswordEnabled value: 1
- Restart IIS using IISRESET /NOFORCE from the command line
Hi any idea how to enable this feature if OWA is published at ISA?
ReplyDeleteURL redirection to the password reset tool is performed in Exchange by the logon.aspx page. However, the logon.aspx page is compiled into a DLL in ISA, so unless Microsoft releases a new DLL you won't be able to take advantage of the automatic redirection.
ReplyDeleteThe two options you have are:
1. Publish a new website in ISA for https://mail.contoso.com/auth/expiredpassword.aspx and instruct your users to go there for password resets
2. Republish OWA like a standard website rather than OWA so you bypass the ISA DLL. I don't recommend this option, since it reduces security.
Hi Jeff,
ReplyDeleteThank you very much for the post. This should have been available a long time ago, but anyway!...
Have you tried this on Exchange 2010 SP1? It was suppose to work exactly the same way with the exact same change as you showed (I saw another post where the guy followed the procedure described here on an Exchange 2010 SP1 environment and it worked fine!) but for me nothing happens...
I haven’t tried it on Exchange 2007 SP3 though... Any thoughts?
Thanks for sharing again!
Best regards,
Nuno
Hi Nuno,
ReplyDeleteIt won't work on any other SP level of Exchange, since it's making fundamental changes to the way the Outlook Web App logon page works.
On a side note, I've confirmed that this password reset utility will be made available for Exchange 2010 in the next update.
Hi ,
ReplyDeleteUsers having a problem logging into webmail for the first time because of the option to change password at next logon. when I removed the requirement to change password at next logon then immediately gained access to his webmail account. The user does not login into a workstation on the network; he only accesses webmail with his username and password. We have several users that do not log into a computer with their own credentials and only log into webmail. How can we resolve the problem of forcing a password change at first logon while still allowing the user to log into webmail the first time.
I have Exchange 2007 with SP2 and Win2008 server.
Regards,
Geejay
gopinath,
ReplyDeleteUpgrade to Exchange 2007 SP3. This is the exact scenario that the new password reset tool addresses.
Hey...jeff
ReplyDeletethanks its get fixed ...thanks once again
--Geejay
Jeff,
ReplyDeleteThanks for the great post. However, can this now work without publishing OWA through ISA 2006? We're not running ISA 2006, so after moving to 2k7, our users can't reset their passwords thru OWA any longer.
The password reset tool has no requirement for ISA 2006. As a matter of fact, I'm not entirely sure it will work with ISA, since ISA uses a DLL instead of the normal ASP pages that OWA provides.
ReplyDeleteMy OWA login page is configured to ask for and accept the user's email address (UPN) instead of the domain\username or username alone formats. However the password reset tool requires domain\username format, which is confusing to most users. Is there any way to change this?
ReplyDeleteNo, sorry. The reset tool requires domain/username format.
ReplyDeleteWith SP3, it is possible to edit the password change (asp) page to simply redirect to a secondary web based password reset tool? I have a solid tool that supports my employees password resets and I would like to avoid any confusion the new "method" provides...
ReplyDeleteFor ISA you can probably customize the fba login page using the following directions and then edit the strings.txt file and add the link to the password reset page in the "L_Copyright=" setting (or wherever you would like. here are some links that should help.
ReplyDeletehttp://www.isaserver.org/articles/2004custfba.html
http://geekswithblogs.net/ksellenrode/archive/2008/12/31/128271.aspx
Nice! Thanks, Phil.
ReplyDeleteHi Jeff,
ReplyDeleteA HUGE piece of missing infomation here and through out the web is that this new password change functionality doesn't work with W2K3 IIS6. It only works on W2K8 and IIS7. This was a pain to figure out. PSS doesn't even know this...
Is that true? Is there no way to enable the password reset for Exch 07 users on an 03 server? That's just unbelievable. MS kb indicates that it will work with IIS 5 and 6 here http://support.microsoft.com/kb/297121/en-us Although, at the same time, it fails to indicate that this is only available in Exch 07 SP3. If this is truly the case, then I'd like to know what password reset tool Matt from above is using.
ReplyDeleteRyan,
ReplyDeleteYes, you can reset your password in OWA 2003/2007SP2, as long as you're logged in. However, you cannot log into OWA with those versions until you've logged into the network and Exchange from an Outlook client the first time.
Also, if you're password has been reset and requires you to change it before logging in, you cannot do that from OWA 2003/2007SP2.
The purpose of the OWA 2007 SP3 password reset tool is to allow users to change their password BEFORE they login to OWA.
So, to make sure I understand you correctly, this new addition to Exchange 07 SP3 allows the password change/reset even on a Windows 2k3 server? I ask this because "atkscott" commented above that this will not work on Windows 2k3 (due to the fact that it is running IIS 6 instead of IIS 7).
ReplyDeleteI have only tested it myself on Windows Server 2008 R2. Sorry.
ReplyDelete@Ryan
ReplyDeleteThis evening I tested this on a Server 2003 R2 box with Exchange 2007 SP3 and everything appears to be working on my end.
Awesome! Very good to know. I just updated to SP3, so I'll be getting that setup soon.
ReplyDeleteHas anyone comfirmed the tools availability in Exchange 2010?
ReplyDeleteYes, I have confirmed it works in Exchange 2010 Service Pack 1 (SP1).
ReplyDeleteHi Jeff,
ReplyDeleteWe have E2K7 c/ SP3 on W2K8 and the password reset tool runs as expected when using OWA.
However, if any of our clients are using OWA light it does not work. Instead of redirecting them to the password reset page, it allows them to login and displays within OWA light that there password will expire today and they must change it.
Is it possible for the password reset tool to work on OWA light?
Thanks Matt
This tool no accept UPN suffix.
ReplyDeleteIf the flag is set on a user’s object to “User must change password at next logon”, it appears it lets them login and just displays the “Your password will expire today. Would you like to change it now” dialog box. Is this correct, I would have thought it would take them into the password reset tool before allowing them into there email.
ReplyDeleteIn Exchange 2010 SP1 UR3, the user is unable to login at all to OWA if I reset the password with "User must change password at next logon" checked. I assume this is because the password did not technically expire. I don't have an Exchange 2007 environment to test this on.
ReplyDeleteHi Guys,
ReplyDeleteWe have AD server 2008 R2 and Exchange 2010 sp1 integrated. when the password is changed at OWA, does this change the AD password for the user as well?
The passwords are one and the same.
ReplyDeleteJeff
Please assist with adding this functionality to Exch2007SP3 on Win2k3R2...
ReplyDelete