locked
Unable to change password in OWA, after having ECP disabled externally RRS feed

  • Question

  • Hi

    We have disabled https://<maildomain>/ecp for external access in our FW.

    This works great, but for external users, that would like to change their password in OWA, this functionality doesn't work anymore.

    This is because the OWA-password-change URL has the URL:  https://<maildomain>/ecp/?rfr=owa&owaparam=modurl%3D0&p=PersonalSettings/Password.aspx

    Is it possible to configure Exchange2013 to achieve both functionalities?

    (disable ECP-access externally, and allow OWA-password-change externally)

    Thanks

    /Peter

    Tuesday, February 11, 2020 9:25 AM

Answers

  • Not unless you are very specific in your firewall exceptions. You can use traces to find out which exact URLs need to be whitelisted.

    Another way to go would be to use a pre-authentication portal which allows them to change their password as well, independent from Exchange.



    Robert Sparnaaij [MVP-Outlook]
    Outlook guides and more: HowTo-Outlook.com
    Outlook Quick Tips: MSOutlook.info

    • Marked as answer by Andy DavidMVP Tuesday, February 11, 2020 11:24 AM
    Tuesday, February 11, 2020 10:22 AM

All replies

  • Not unless you are very specific in your firewall exceptions. You can use traces to find out which exact URLs need to be whitelisted.

    Another way to go would be to use a pre-authentication portal which allows them to change their password as well, independent from Exchange.



    Robert Sparnaaij [MVP-Outlook]
    Outlook guides and more: HowTo-Outlook.com
    Outlook Quick Tips: MSOutlook.info

    • Marked as answer by Andy DavidMVP Tuesday, February 11, 2020 11:24 AM
    Tuesday, February 11, 2020 10:22 AM
  • Please check that the change password option is enabled for your OWA virtual directory:

    Get-OwaVirtualDirectory | fl Server,Name,ChangePasswordEnabled

    If you find that it is not enabled, you can enable it as below:

    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ChangePasswordEnabled:$true
    Tuesday, February 11, 2020 10:41 AM
  • Hi Peter,

    Do other features in OWA > Option work well?

    If you want to disable EAC for external client connections without affecting access to the Settings > Options page, the following choices are recommended from Microsoft:

    • Configure a second Exchange server that's only accessible from the internal network to handle internal EAC connections.
    • On the existing Exchange server, create a new Internet Information Services (IIS) web site with new virtual directories for the EAC and Outlook on the web that's only accessible from the internal network.

    You can check this article for more details: Turn off access to the Exchange admin center

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, February 12, 2020 4:16 AM
  • Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, February 18, 2020 9:18 AM
  • Hi

    Thanks for replying, all of you.

    This URL, https://<maildomain>/owa/auth/ExpiredPassword.aspx, is also working in our case, even though the rest of the OWA-links that depends on ECP-functionallity is not.

    We will see if we can try out your suggestion of a preauth or a second Exchangeserver

    Thanks again

    /Peter


    Wednesday, February 19, 2020 9:26 AM
  • That's OK. If you have any updates to share, welcome to post here.

    Hope everything works well on your side.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, February 21, 2020 6:06 AM