jbcsystech
asked on
Exchange Client Access Server cached password issue
Recently a user changed their password through Outlook Web Access and noticed that they were able to continue logging into OWA with both the old and new passwords.
One of our IT personnel reset the account password through one of our AD controllers using the Users and Computers Snapin, thinking there was an issue with OWA's change password feature, but both passwords could still be used in OWA.
The user logged off the workstation and found they were unable to use the old password and could only login with the new one. When they logged on with the new password they were still able to login to OWA with both passwords.
At first I thought maybe we had a replication issue with our AD controllers, but I ran repadmin and dcdiag on all three and no issues were found.
I tried restarting the Exchange services on the CAS server, but it still allowed both passwords in OWA. I tried restarting the IIS service on the CAS server and it stopped allowing the old password and only allowed the new one.
I'm assuming IIS on the CAS server is caching the old password and will eventually time out and only allow the new one? Assuming this is the case is it possible to disable this caching feature in order to prevent this from happening again?
One of our IT personnel reset the account password through one of our AD controllers using the Users and Computers Snapin, thinking there was an issue with OWA's change password feature, but both passwords could still be used in OWA.
The user logged off the workstation and found they were unable to use the old password and could only login with the new one. When they logged on with the new password they were still able to login to OWA with both passwords.
At first I thought maybe we had a replication issue with our AD controllers, but I ran repadmin and dcdiag on all three and no issues were found.
I tried restarting the Exchange services on the CAS server, but it still allowed both passwords in OWA. I tried restarting the IIS service on the CAS server and it stopped allowing the old password and only allowed the new one.
I'm assuming IIS on the CAS server is caching the old password and will eventually time out and only allow the new one? Assuming this is the case is it possible to disable this caching feature in order to prevent this from happening again?
ASKER
The user tried logging off OWA and logged off the computer, yet was still able to login to OWA with both the old and new password. I tested this myself with a different account on a different computer and experienced the same result even though I logged off OWA and rebooted the computer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This sounds like the issue we're experiencing. I'm busy working on some higher priority projects right now so once I get a chance I'll try changing that registry key and will let you know the result. Thanks for your help.
I suspect what you are experiencing is a cached sesson on the client side. If you don't click "Log off", you session cookie is still valid and will be used to authenticate you. When you restart IIS, it invalidates the cookie. You can test this by changing the password, clicking "log off" in OWA then try to log back on using the old password.
JJ