Wednesday, August 4, 2010

Power to the People: Exchange 2010 SP 1 Allows Users to Reset their OWA passwords

For many generations, Outlook Web Access allowed users to change their password, but only after they had successfully logged on to OWA. With Exchange 2007 Service Pack 3 and the upcoming Exchange 2010 Service Pack 1, administrators now have the ability to change the password pretty much the same way users do when they log on to Windows on their PC.

This enables administrators to set the bit to force users to change their password the next time they logon. This new feature also lets users change their password after it has expired, without having to call the helpdesk for assistance.

How does it work?

First users are presented with the ordinary OWA logon form.

clip_image002

If the account is being forced to change its password, a new form will be displayed that contains fields for the account name and new and old passwords.

clip_image004

If the user fills in everything correctly, then they will be presented with a status form simply saying their password was changed.

clip_image006

After pressing the OK button, the user will be presented with the ordinary logon form again so they can logon with the newly set password.

Enable password change functionality.

Changing passwords in this manner has to be enabled – it is not enabled by default. This is done by setting a bit in registry on your CAS servers.

In the “HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA” subkey, create a DWORD (if needed) named ChangeExpiredPasswordEnabled and give it a value of 1 (one) to enable the functionality, and 0 (zero) to disable.

After you change the registry value, you must do a “iisreset /noforce” to activate the new setting.

Now all you administrators can sit back, relax, and enjoy letting peoples’ passwords expire or setting the “User must change password at next logon.” (Even though we all know that the chances of the user calling the help desk anyway are still pretty high!)

Consider authentication method.
Rest password functionality will only work if you have Forms Based Authentication enabled on CAS.

If you’re protecting CAS with ISA/TMG and doing FBA on ISA/TMG, then you probably have authentication set to Basic or Windows Integrated on CAS, so this functionality will not be enabled.
To solve this, enable the change password functionality on ISA/TMG: http://blogs.technet.com/b/sooraj-sec/archive/2009/12/20/password-change-with-isa-server-2006.aspx (However, if you ask me this method does not perform the password reset functionality as nicely as Exchange OWA.)

Another way to solve this is to change how OWA is published by enabling FBA with the new password reset functionality on CAS and not performing the authentication on ISA/TMG. On the other hand, this workaround could raise some security concerns so I urge you to look closely at all your options before choosing the password reset method that best suits your company’s needs.

I hope that this tutorial on OWA password reset changes in Exchange 2007 SP 3 and 2010 SP 1 has been informative for you. Now that administrators can reset OWA passwords easily, or even better allow users to reset their own passwords, it should no doubt reduce the volume of calls the help desk receives.