none
OWA 2013 Expired Password Change - not working

    Question

  • We are in the process of moving mailboxes from our 2010 environment to our 2013 environment and are using the 2013 CAS as internet facing, for any mailboxes on 2010, requests are proxied through.

    We have the registry DWORD ChangeExpiredPasswordEnabled set to 1 in HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA but this isn't working.

    It use to work perfectly well when we had the 2010 CAS server internet facing.

    Is this still supported in Exchange 2013?

    Monday, May 06, 2013 3:11 PM

Answers

  • I opened up a case with Microsoft and we've done 2 things, not sure which has fixed it.

    1) On the password policy for the domain, set the min password age as 0 days (previously set as 1)

    2) On the CAS server, under IIS, Default Websit, OWA, Authentication and on Basic Authentication set the default domain to "\"

    This has resolved the issue for us. 

    • Marked as answer by adamf83 Thursday, July 04, 2013 8:49 PM
    Thursday, July 04, 2013 8:49 PM

All replies

  • Hello,

    There seems no article to explain this point.

    For my personal, I consider this methods is ok.

    Did you restart iis after you changed registry?

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    Tuesday, May 07, 2013 2:47 AM
  • Wonder this myself - anyone?
    Friday, May 10, 2013 9:29 PM
  • I don't actually remember setting this manually... I went looking to set it and found it already set.  

    The server itself has been restarted a few times so it should have kicked in

    Friday, May 10, 2013 9:31 PM
  • I don't actually remember setting this manually... I went looking to set it and found it already set.  

    The server itself has been restarted a few times so it should have kicked in

    yeah - I JUST installed Exchange 2013 on this box and the registry key is set, but it does not appear to be working. :(

    Friday, May 10, 2013 9:32 PM
  • Hello,

    There may exist cache age after you modify your password and AD replication problem, please wait 15s-20s and check the result.

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    Monday, May 13, 2013 2:03 AM
  • Hello,

    There may exist cache age after you modify your password and AD replication problem, please wait 15s-20s and check the result.

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    I think you misunderstand the issue.  Users with expired passwords cannot login to OWA (to then change their password) in Exchange 2013 even with the Exchange 2010 registry setting applied.  It's not due to replication delay.

    Monday, May 13, 2013 2:51 AM
  • I'm with tyler gohl on this, it's got nothing to do with AD replication.  It worked on Exchange 2010, but not on Exchange 2013

    Anybody else have any ideas?

     
    Monday, May 13, 2013 9:52 AM
  • Hello,

    Sorry for my misunderstanding.

    For your issue, I will research further and I suggest you contact microsoft support. Maybe they have some ideas.

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support


    Tuesday, May 14, 2013 7:16 AM
  • Hello,

    Sorry for delayed response.

    At present, I still doesn't get more related information.

    Is there any update?

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support


    Monday, May 20, 2013 9:32 AM
  • I have no updates - we don't have any free support cases to burn currently.
    Monday, May 20, 2013 2:15 PM
  • Hello,

    At present, there is not still for technet article to explain whether the ways can works in exchange 2013.

    I suggest you upgrade exchange 2013 cu1 and check the result.

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    Tuesday, May 21, 2013 2:37 AM
  • In my case we are already running on 2013 CU1.
    Tuesday, May 21, 2013 12:37 PM
  • I can confirm that this is an issue that we are seeing as well.  The registry already had this feature enabled.

    Exchange 2013 CU1 (installed right from CU1) co-existing with 2010.  2010 Mailboxes with 2010 CAS are still able to change passwords.

    • Edited by Ed Cho Tuesday, May 21, 2013 8:53 PM
    Tuesday, May 21, 2013 8:51 PM
  • Hello,

    Maybe the ways doesn't work in exchange server 2013.

    I still suggest you contact microsoft support to verify the issue.

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    Wednesday, May 22, 2013 1:33 AM
  • After opening a support case, it looks like enabling HTTP Redirection in IIS (under Default Website) was the cause.  When we disabled it, it worked. 

    HTTP redirection should be configured for iisstart.htm (not for the entire site) if you want to redirect to /owa.

    • Proposed as answer by Ed Cho Thursday, May 23, 2013 8:44 PM
    Thursday, May 23, 2013 8:30 PM
  • Interesting - as I haven't modified any IIS settings, and I assume they are default - are they going to address this as a bug?
    Thursday, May 23, 2013 8:42 PM
  • They didn't say -- it was enabled as the default as well for a new install Exchange 2013 CU1 here as well and I mentioned this to them.

    Thursday, May 23, 2013 8:45 PM
  • Very interesting indeed.
    @Ed Cho
    Are you really able to log on with an expired account and are prompted to change the password when you do??


    I have tested this in several different Exchange 2013 enviroments (both RTM and CU1) and it doesn't work.
    To me it seems that this is just another thing with OWA that doesn't work (Disable OWA Access is someting else that doesn't work)


    Martina Miskovic

    Thursday, May 23, 2013 9:03 PM
  • Yes -- I double checked that I had the registry key on 2013 and then called them. 

    After a few hours of troubleshooting, they suggested that I disable HTTP redirection in IIS, after performing the action, we were able to make the password change form appear. 

    They did check our AD domain functional level (ours is 2008 I believe).  Also might help to note that our 2013 box is on a 2012 server.

    Thursday, May 23, 2013 9:52 PM
  • @Ed Cho
    Can you tell us if you are able to log on with an expired account and are prompted to change the password when you do??


    Martina Miskovic

    Thursday, May 23, 2013 9:55 PM
  • @Ed Cho
    Can you tell us if you are able to log on with an expired account and are prompted to change the password when you do??


    Martina Miskovic

    Yes -- we are able to logon with an expired account and it does prompt us to change the password.
    Thursday, May 23, 2013 10:02 PM
  • Yes -- we are able to logon with an expired account and it does prompt us to change the password.


    Ok, Thanks for the information.
    Very interesting.

    Martina Miskovic

    Thursday, May 23, 2013 10:05 PM
  • After opening a support case, it looks like enabling HTTP Redirection in IIS (under Default Website) was the cause.  When we disabled it, it worked. 

    HTTP redirection should be configured for iisstart.htm (not for the entire site) if you want to redirect to /owa.

    Hmmm.. Apparently we don't have HTTP redirection turned on, but it still doesn't appear to be working for us.  Did they make any other adjustments?
    Friday, May 24, 2013 3:41 PM
  • After opening a support case, it looks like enabling HTTP Redirection in IIS (under Default Website) was the cause.  When we disabled it, it worked. 

    HTTP redirection should be configured for iisstart.htm (not for the entire site) if you want to redirect to /owa.

    Hmmm.. Apparently we don't have HTTP redirection turned on, but it still doesn't appear to be working for us.  Did they make any other adjustments?

    Before that step, they also made us delete the web.config file under the wwwrooot so that it would be recreated from the defaults but that didn't do anything for us.


    • Edited by Ed Cho Friday, May 24, 2013 4:03 PM
    Friday, May 24, 2013 4:03 PM
  • Before that step, they also made us delete the web.config file under the wwwrooot so that it would be recreated from the defaults but that didn't do anything for us. 


    You are referring to HTTP -> HTTPS redirection and not https://servername -> https://servername/owa redirection right?

    Friday, May 24, 2013 4:27 PM
  • I'm referring to the HTTP redirection under features in IIS. 

    That was turned on (it was actually installed that way) and we turned it off for the password change to work. 

    Friday, May 24, 2013 6:08 PM
  • I don't have HTTP redirection enabled within IIS and it's not working for me.

    Any other suggestions?

    Saturday, June 01, 2013 4:46 PM
  • I opened up a case with Microsoft and we've done 2 things, not sure which has fixed it.

    1) On the password policy for the domain, set the min password age as 0 days (previously set as 1)

    2) On the CAS server, under IIS, Default Websit, OWA, Authentication and on Basic Authentication set the default domain to "\"

    This has resolved the issue for us. 

    • Marked as answer by adamf83 Thursday, July 04, 2013 8:49 PM
    Thursday, July 04, 2013 8:49 PM
  • Thanks adamf83.  In our case #2 was the fix.

    I wonder if Get-OWAVirtualDirectory | Set-OWAVirtualDirectory -DefaultDomain "\" would accomplish the same thing?


    • Edited by tyler gohl Thursday, July 11, 2013 4:19 PM edit
    Thursday, July 11, 2013 4:19 PM
  • I opened up a case with Microsoft and we've done 2 things, not sure which has fixed it.

    1) On the password policy for the domain, set the min password age as 0 days (previously set as 1)

    2) On the CAS server, under IIS, Default Websit, OWA, Authentication and on Basic Authentication set the default domain to "\"

    This has resolved the issue for us. 

    I had the 1st suggestion done and running for a few days and it still would not work. The 2nd one, however, was the one that worked for me. Instructions below.

    1- Open IIS Manager on the CAS server.

    2- Navigate to "<Server Name>\Sites\Default Web Site\owa". Double-click "Authentication". Select "Basic Authentication". Make sure it is enabled. Click "Edit" in the far-right pane. Enter "\" into the "Default domain" field. Leave "Realm" field blank. Click "OK".

    3- Navigate to "<Server Name>\Sites\Default Web Site\owa\auth". Double-click "Authentication". Select "Basic Authentication". Make sure it is enabled. Mine was disabled. Click "Edit" in the far-right pane. It should pick-up the "\" through the hierarchy. Enter "\" into the "Default domain" field if it has not. Leave "Realm" field blank. Click "OK".

    4- Navigate back up to "<Server Name>" under "Start Page" in the left pane. Click on the server name to select the server. Click on "Restart" in the far-right pane to restart the web server.

    • Proposed as answer by sydwys Tuesday, September 03, 2013 8:51 PM
    Tuesday, September 03, 2013 8:45 PM
  • Hi

    I make  these process but still not working change password on owa . where i can see some log

    Saturday, January 18, 2014 5:29 AM
  • Thank you , Good points 

    I would like add point 

    Enable windows Authentication 

    thanks again

    Sunday, January 26, 2014 10:19 AM
  • Hello ,

    I have Exchange 2013 SP1 and Windows 2013 .

    How to allow a user to change the password from OWA exchange 2013.

    Wednesday, April 16, 2014 1:06 AM