Solved

How to fix following OWA / Password Flaw?

Posted on 2010-08-26
5
487 Views
Last Modified: 2012-08-14
Scenario

Employee logs into Webmail, say at a hotel kiosk

Employee selects "private computer" as an option

Employee finishes work and leaves hotel

Employee remembers they left kiosk without logging out

Employee knows that typing "https://web" may or will autocomplete with full TMO Webmail address

Employee suspects (which is true) persistent cookie will show then as logged in.

Employee sets up their laptop, logs into VPN, changes Outlook password.

HOWEVER, Webmail will still show them as logged in, password change on network does not affect current login, at least not in a short period of time.
0
Comment
Question by:Admin_Stooge
5 Comments
 
LVL 26

Expert Comment

by:e_aravind
ID: 33536338
By default the Private logon will have a longer *working/active* hours without refering back to the servers.

As per the URL:
Configuring Forms-Based Authentication for Outlook Web Access
http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx

Recycle time for authentication key if you use the default time-out value ...for a private logons....4 hours

If you really need to change the values...you can do by registries (is that really needed?)
0
 

Author Comment

by:Admin_Stooge
ID: 33567703
I agree, that aspect is pretty straight forward, I am curious about the password change reference and how it relates
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 34051940
I hope the following helps clear this up for you:
forms-based authentication uses a cookie to store a user's encrypted logon credentials that the Exchange server uses to monitor the activity of OWA sessions. if a session is inactive for too long (defaults are 15 minutes for public and 8 hours for private), the server requires re-authentication.  the initial login into the CAS to authenticate an Outlook Web Access session creates an encrypted cookie used to track user activity. after this initial logon, only the cookie is used for authentication between the client computer and the CAS. the recycle time for authentication is one half of the default time-out value (or 7.5 minutes for public and 4 hours for private). therefore a user can continue to work within OWA for up to four hours before the cookie will become invalid and fail authentication.

0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question