Change Expired Password OWA IISADMPWD
Hi
We have a Single Exchange 2007 SP1 Server running on Windows 2003 R2 SP2, I am trying to get the IISADMPWD feature to work when a password expiries as there are quite a few remote users who rely on OWA.
I have setup the Virtual directory in IIS, under application pool MS KB 297121 states I need to change to ExchangeApplicationPool however I have the following options:
DefaultAppPool
MSExchangeAutodiscoverAppP
MSExchangeOWAAppPool
MSExchangeServicesAppPool
MSExchangeSyncAppPool
MSExchangeUMAppPool
Which do i need to select?
The KB also says basic authentication only, just to confirm, do I untick Enable anonymous access and click Basic authentication (password is sent in clear text) under Directory Security > Authentication and access control?
I notice for previous exchange server you have to change a registry key to enable change password button in OWA, is this the case for Exchange 2007?
We have a Single Exchange 2007 SP1 Server running on Windows 2003 R2 SP2, I am trying to get the IISADMPWD feature to work when a password expiries as there are quite a few remote users who rely on OWA.
I have setup the Virtual directory in IIS, under application pool MS KB 297121 states I need to change to ExchangeApplicationPool however I have the following options:
DefaultAppPool
MSExchangeAutodiscoverAppP
MSExchangeOWAAppPool
MSExchangeServicesAppPool
MSExchangeSyncAppPool
MSExchangeUMAppPool
Which do i need to select?
The KB also says basic authentication only, just to confirm, do I untick Enable anonymous access and click Basic authentication (password is sent in clear text) under Directory Security > Authentication and access control?
I notice for previous exchange server you have to change a registry key to enable change password button in OWA, is this the case for Exchange 2007?
LeeDerbyshire
It doesn't really matter which app pool you use, but the nearest one to the old exchangeapplicationpool would be msexchangeowaapppool . Note that if you do not allow Anonymous Access to the VDir, then users whose passwords have already expired will not be able to change their passwords (since they won't be able to log in).
Actually, in E2007, if you just go into the Options page, you may be able to change the password without doing /any/ of this.
Ah, but you won't be able to log into OWA if the password has expired. I see. So you need the IISADMPWD VDir, but with Anonymous Access enabled.
ASKER
Hi Lee
thanks for your reply, just to confirm, i have changed application pool to MSExchangeOWAAppPool, I have enabled anonymous access, i have tried with Basic authentication on and off but when i try to login with a new account i have created with the account option user must change password at next logon ticked it won't let me login to owa to change the password.
However, if I untick change password at next logon on this same account, login to the account using OWA, then log out, re-enable change password at next logon, i can login and an orange bar near the top says "your password will expire today. would you like to change it now?" I can then change the password
Am i doing somrthing wrong here?
thanks for your help.
thanks for your reply, just to confirm, i have changed application pool to MSExchangeOWAAppPool, I have enabled anonymous access, i have tried with Basic authentication on and off but when i try to login with a new account i have created with the account option user must change password at next logon ticked it won't let me login to owa to change the password.
However, if I untick change password at next logon on this same account, login to the account using OWA, then log out, re-enable change password at next logon, i can login and an orange bar near the top says "your password will expire today. would you like to change it now?" I can then change the password
Am i doing somrthing wrong here?
thanks for your help.
Have a look at this more up-to-date document, and compare it with what you did:
http://technet.microsoft.com/en-us/library/bb684904.aspx
http://technet.microsoft.com/en-us/library/bb684904.aspx
ASKER
thanks, making progress i think. I read through the document and the original one again, i missed the adsutil.vbs set w3svc/passwordchangeflags 1. I have carried that out and now I get the login screen, screenshot attached, but when i try to change the password I get an error: object required, screenshot also attached.
any ideas?
thanks.
password-ss.jpg
password-fail-ss.jpg
any ideas?
thanks.
password-ss.jpg
password-fail-ss.jpg
What is the name of the script in the browser's address bar?
ASKER
On the error screen:
http://mail.domain.com/iisadmpwd/achg.asp?https://mail.domain.com:443/owa/
when attempting to change the password:
https://mail.domain.com/owa/
http://mail.domain.com/iisadmpwd/achg.asp?https://mail.domain.com:443/owa/
when attempting to change the password:
https://mail.domain.com/owa/
Okay, well have a look at the achg.asp file in Notepad (make a copy first). We have to try and find out which line of code is generating the error. I would start by looking for the line that says:
On Error resume next
and commenting it out with an apostrophe:
'On Error resume next
save the file back, and see if you get a different error message.
On Error resume next
and commenting it out with an apostrophe:
'On Error resume next
save the file back, and see if you get a different error message.
ASKER
ok, i am getting an error on:
error '800708ad'
/iisadmpwd/achg.asp, line 100
line 100 in hte achg.asp files is:
set pUser = GetObject("WinNT://" & domain & "/" & username & ",user")
any ideas?
error '800708ad'
/iisadmpwd/achg.asp, line 100
line 100 in hte achg.asp files is:
set pUser = GetObject("WinNT://" & domain & "/" & username & ",user")
any ideas?
800708ad means that it think the domain\username combination doesn't exist. Of course, it might be that because the page now has anonymous access allowed to it, it's not allowed to check certain things about its environment. Try changing that line to hard-code your domain name so that it doesn't need to try to work it out.
set pUser = GetObject("WinNT://yourdom
if it makes no difference, change it back.
set pUser = GetObject("WinNT://yourdom
if it makes no difference, change it back.
ASKER
tried changing the code and im getting the same error, i have changed it back.
i then tried domain\username in the account field on the page and that didn't work.
I then thought about the default domain in authentication methods under IIS and added domain.local into the default domain, but that didn't work either, any other ideas?
thanks.
i then tried domain\username in the account field on the page and that didn't work.
I then thought about the default domain in authentication methods under IIS and added domain.local into the default domain, but that didn't work either, any other ideas?
thanks.
Is Anonymous Access still enabled for the IISADMPWD VDir? If so, try enabling just Basic, and see if it's a permissions problem.
ASKER
when anonymous is switched off after trying to change the password I get prompted with a windows login box, i then entered the account info and it took me back to the error message.
Well, from looking at the code, it seems like it is expected to fail under certain circumstances (which is why the On Error Resume Next is there), but at least we know which part of the code we are looking for. I would remove the apostrophe you added before, then we start looking around line 100 again. The line
if upn_name = "" then
tests to see if you entered a upn-style logon, so avoid doing that for a while to make sure that the next few lines are what gets executed. Reinstating the On Error Resume Next by removing the apostrophe allows the execution to continue into that block, but try inserting
On Error Goto 0
at line 101 to see why it fails to get the AD user object at the second attempt.
if upn_name = "" then
tests to see if you entered a upn-style logon, so avoid doing that for a while to make sure that the next few lines are what gets executed. Reinstating the On Error Resume Next by removing the apostrophe allows the execution to continue into that block, but try inserting
On Error Goto 0
at line 101 to see why it fails to get the AD user object at the second attempt.
ASKER
tried that entering on error goto 0 on line 101 and now back to the original error Error: object required
when you say upn-style logon, i am entering just the username for example jsmith which is the AD logon name, is that correct?
when you say upn-style logon, i am entering just the username for example jsmith which is the AD logon name, is that correct?
Okay, remove the 'on error goto 0' at line 101 again, and add a few lines at 113, so it looks like this;
end if
response.write IsObject(pUser)
response.end
else
It will just say 'True' or 'False'
you want to find out at which point it gets upset about not having a required object.
end if
response.write IsObject(pUser)
response.end
else
It will just say 'True' or 'False'
you want to find out at which point it gets upset about not having a required object.
ASKER
I got the same error with this?
I have attached a screenshot so you can see how I have placed the code, was that correct?
I have attached a screenshot so you can see how I have placed the code, was that correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I never got round to fixing this, but i think the need to this has gone away now.
Thanks for your help, i am going to award you points as you spent quite a bit of time trying to help me get this working.
thanks.
Thanks for your help, i am going to award you points as you spent quite a bit of time trying to help me get this working.
thanks.