Solved

How to fix following OWA / Password Flaw?

Posted on 2010-08-26
5
492 Views
Last Modified: 2012-08-14
Scenario

Employee logs into Webmail, say at a hotel kiosk

Employee selects "private computer" as an option

Employee finishes work and leaves hotel

Employee remembers they left kiosk without logging out

Employee knows that typing "https://web" may or will autocomplete with full TMO Webmail address

Employee suspects (which is true) persistent cookie will show then as logged in.

Employee sets up their laptop, logs into VPN, changes Outlook password.

HOWEVER, Webmail will still show them as logged in, password change on network does not affect current login, at least not in a short period of time.
0
Comment
Question by:Admin_Stooge
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 26

Expert Comment

by:e_aravind
ID: 33536338
By default the Private logon will have a longer *working/active* hours without refering back to the servers.

As per the URL:
Configuring Forms-Based Authentication for Outlook Web Access
http://technet.microsoft.com/en-us/library/bb123719(EXCHG.80).aspx

Recycle time for authentication key if you use the default time-out value ...for a private logons....4 hours

If you really need to change the values...you can do by registries (is that really needed?)
0
 

Author Comment

by:Admin_Stooge
ID: 33567703
I agree, that aspect is pretty straight forward, I am curious about the password change reference and how it relates
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 34051940
I hope the following helps clear this up for you:
forms-based authentication uses a cookie to store a user's encrypted logon credentials that the Exchange server uses to monitor the activity of OWA sessions. if a session is inactive for too long (defaults are 15 minutes for public and 8 hours for private), the server requires re-authentication.  the initial login into the CAS to authenticate an Outlook Web Access session creates an encrypted cookie used to track user activity. after this initial logon, only the cookie is used for authentication between the client computer and the CAS. the recycle time for authentication is one half of the default time-out value (or 7.5 minutes for public and 4 hours for private). therefore a user can continue to work within OWA for up to four hours before the cookie will become invalid and fail authentication.

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question