locked
O365\EXO federated outlook 2010 expected behaviour when changing password RRS feed

  • Question

  • We are in a federated hybrid Exchange config with O365. We have Exchange 2010 SP3 on premise, and use outlook 2010 sp2 on the PCs. I do know that outlook 2010 is out of mainstream support, but we have no choice at the moment.  So outlook is using Basic/proxy authentication over SSL.  Outlook is going into Disconnected, or Trying to Connect status after a password change in on-premise AD.  Sometimes outlook prompts after 30 minutes in that state, or it may never prompt, in which case cached credentials have to be manually purged, and outlook restarted.  My understanding is that after the password change outlook will continue to have access as long as the current token is valid, and once it becomes invalid EXO will recognize that and outlook should then get a prompt.  Can someone verify the expected behavior, and provide any documentation?  The user is able to logon to EXO OWA without problem shortly after the password change.
    Wednesday, September 13, 2017 6:32 PM

Answers

All replies

  • We are in a federated hybrid Exchange config with O365. We have Exchange 2010 SP3 on premise, and use outlook 2010 sp2 on the PCs. I do know that outlook 2010 is out of mainstream support, but we have no choice at the moment.  So outlook is using Basic/proxy authentication over SSL.  Outlook is going into Disconnected, or Trying to Connect status after a password change in on-premise AD.  Sometimes outlook prompts after 30 minutes in that state, or it may never prompt, in which case cached credentials have to be manually purged, and outlook restarted.  My understanding is that after the password change outlook will continue to have access as long as the current token is valid, and once it becomes invalid EXO will recognize that and outlook should then get a prompt.  Can someone verify the expected behavior, and provide any documentation?  The user is able to logon to EXO OWA without problem shortly after the password change.

    That's not the behavior I see with Outlook 2013/2016/Office365 Pro.. From what I have seen, password changes initiate a password prompt.

    Wednesday, September 13, 2017 6:51 PM
  • We're not using modern auth, so that may be a difference with our setups.
    Wednesday, September 13, 2017 7:15 PM
  • Hi,

    Thanks for contacting our forum.

    This is expected behavior. Please refer to the following article and threads:

    https://support.microsoft.com/en-us/help/267568/an-old-password-still-works-after-you-change-it-in-outlook-on-the-web

    https://social.technet.microsoft.com/Forums/en-US/bebfdeb8-3aab-44af-bf18-d7534808422a/after-password-change-in-ad-outlook-will-not-prompt-to-enter-credentials-for-a-day-or-more?forum=outlook

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 14, 2017 7:24 AM
  • Thanks Jason. 

    The first article you reference discusses changing a password using OWA, and being able to use the old or new password for a period of time due to the token life.  It also doesn't specifically say it applies to EXO.  It mentions outlook behaving differently, but it's unclear what will be experienced. 

    I understand that the token remains valid for a period of time until it expires.  I've also seen the second link from the forum, and that explanation.  It implies that there is no disruption like what we are experiencing.  It says once the token expires Exchange (EXO for us) will recognize that and prompt for credentials.  Once the new password is provided all is well.  As mentioned in our case, outlook disconnects and does not prompt for a period of time, or not at all.  I guess what I'm trying to verify is that the behavior we are experiencing is not what should be happening, and I was also trying to find documentation on authentication process\steps that our clients are going through.

    Thursday, September 14, 2017 2:44 PM
  • Per my experience, it's should not be expected behavior.

    How about restarting Outlook when it's disconnected? The credential then pops up?

    Thanks.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 18, 2017 2:57 AM
  • Restarting outlook has more often than not in these situations not gotten a prompt.  I think we may have the cause.  We use Ping Federate for our STS, and there is a known issue with the version we use that seems to fit with what is happening.

    https://ping.force.com/Support/PingFederate/STS-WS-Trust/Office-365-Outlook-account-lockout-after-password-change

    One thing I'm not clear on is that it seems to imply that Outlook is talking directly to the STS, but I thought in this scenario EXO did all the talking to Azure and the STS on the outlook clients behalf.


    Monday, September 18, 2017 2:20 PM
  • Thanks for your kindly sharing!

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 19, 2017 9:08 AM