Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 504
  • Last Modified:

How to fix following OWA / Password Flaw?

Scenario

Employee logs into Webmail, say at a hotel kiosk

Employee selects "private computer" as an option

Employee finishes work and leaves hotel

Employee remembers they left kiosk without logging out

Employee knows that typing "https://web" may or will autocomplete with full TMO Webmail address

Employee suspects (which is true) persistent cookie will show then as logged in.

Employee sets up their laptop, logs into VPN, changes Outlook password.

HOWEVER, Webmail will still show them as logged in, password change on network does not affect current login, at least not in a short period of time.
0
Admin_Stooge
Asked:
Admin_Stooge
1 Solution
 
e_aravindCommented:
By default the Private logon will have a longer *working/active* hours without refering back to the servers.

As per the URL:
Configuring Forms-Based Authentication for Outlook Web Access
http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx

Recycle time for authentication key if you use the default time-out value ...for a private logons....4 hours

If you really need to change the values...you can do by registries (is that really needed?)
0
 
Admin_StoogeAuthor Commented:
I agree, that aspect is pretty straight forward, I am curious about the password change reference and how it relates
0
 
endital1097Commented:
I hope the following helps clear this up for you:
forms-based authentication uses a cookie to store a user's encrypted logon credentials that the Exchange server uses to monitor the activity of OWA sessions. if a session is inactive for too long (defaults are 15 minutes for public and 8 hours for private), the server requires re-authentication.  the initial login into the CAS to authenticate an Outlook Web Access session creates an encrypted cookie used to track user activity. after this initial logon, only the cookie is used for authentication between the client computer and the CAS. the recycle time for authentication is one half of the default time-out value (or 7.5 minutes for public and 4 hours for private). therefore a user can continue to work within OWA for up to four hours before the cookie will become invalid and fail authentication.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now