none
Exchange 2010 sp3 Rollup 25 breaks "User to change Password at next logon" for OWA RRS feed

  • Question

  • Hi there,

    Sorry for putting this in the 2016 forum but the 2010 forum seems to have vanished now.  We are in the process of migrating to 2016.

    Just wondering if anyone else has noticed that the latest exchange 2010 sp3 rollup (25) seems to have broken functionality related to forcing users to change their password at next logon via outlook web access.

    We use this quite extensively and since the latest rollup, it no longer works.  Instead, we simply receive the message that the username or password is incorrect or it just allows us to log in without forcing the reset.

    This behavior doesn't exist when we check it against a 2016 environment when I go to one of the 2016 hosts (we are migrating).

    This was working fine just before the patch.  No settings have changed (that we have made).

    -Darryl

    Friday, January 11, 2019 12:53 AM

Answers

  • Hi,

    Here is solution of this.

    Please follow below:-

    Open IIS manager on OWA server.

    Expand Default web site and click on owa.On right hand panel double click on Modules.

    Under Modules click on Configure native Modules (Actions panel).

    Here select exppw and click ok.

    After that perform a iisrest and perform a test.

    Issue should be resolve after adding exppw module.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.


    Friday, January 18, 2019 4:18 AM

All replies

  • Hi,

    Did  you checked authentication setting on owa web service virtual directory?

    For e.g.

    Get-owavirtualdirectory -Identity "Contoso\owa*" | fl *auth*

    Also what is errors are showing in IIS logs files.

    To check logs:- Check logs file location.

    IIS manager - default web site - logging

    Open containing logs folder and check for authentication errors.

    Default location for logs is C:\inetpub\logs\LogFiles\W3SVC1


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE

    Saturday, January 12, 2019 1:56 PM
  • Hi Darryl,

    May I know how you installed the update? There is a known issue that when you try to manually install this security update by double-clicking the update file (.msp) to run it in "normal mode" (that is, not as an administrator), some files are not correctly updated. This could cause OWA to not work properly. 

    If this applies to your situation, see the following Microsoft KB article for more details:

    Update Rollup 25 for Exchange Server 2010 Service Pack 3

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, January 14, 2019 2:04 AM
    Moderator
  • I'm having the same issues after the RU25 update. RU25 was installed using Windows Update, which is not affected by the issue in the article.

    We also have the ChangePasswordEnabled property set to True on all of our OwaVirtualDirectories and OwaMailboxPolicy.

    I do not see anything about authentication errors in the IIS logs. All of the authentication settings are the same as before.

    Monday, January 14, 2019 4:46 PM
  • Hi,

    We installed the update manually from an admin level command prompt to avoid the issues mentioned in that article which is typically how we've been successful in doing this.

    The issue showed up immediately after installing RU25.

    Cheers,

    Darryl

    Monday, January 14, 2019 5:56 PM
  • There isn't anything overly specific in the logs beyond the following (note, I've obscure the USERID and IP addresses)

    2019-01-14 17:32:46 10.*.*.* POST /owa/auth.owa - 443 USERID 10.*.*.* Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/71.0.3578.98+Safari/537.36 401 1 1330 46

    For this one user, I worked around the issue by setting the "password never expires" flag on their account, then getting them to use OWA to reset their password (which works), and then I unset the expiry flag.  Not a tenable solution in the long run, but it works and shows that the problem seems to be related in how OWA is interpreting the "User must change password at next logon" on flag in AD.

    Monday, January 14, 2019 6:29 PM
  • Hi,

    Can you please check if below registry value still exist after updating to Ru25.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

    Here you will find out ChangeExpiredPasswordEnabled with a value 1.

    Please check if it exists.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    Monday, January 14, 2019 11:39 PM
  • I can confirm that this is the case.  That setting exists on both of my CAS servers and they are both set to 1 (enabled).
    Monday, January 14, 2019 11:44 PM
  • Did you tried by changing minimum password age value to 0?


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    Tuesday, January 15, 2019 12:41 AM
  • In my environment, minimum password age is already 0. (And the ChangeExpiredPasswordEnabled registry setting is already set to 1 on all of the CAS servers.)

    I had a test Exchange server running SP3 RU21 that I did a test with. I installed RU22 - 24 in order and tested the expired reset password feature after each update. It worked. Then I installed RU25 and the feature no longer worked. No other Windows Updates were installed during this period, so it really looks like a problem with the RU25 update.

    Also, I rolled back to RU24 from RU25 and the problem still exists. (I experienced this issue on two different servers as well.)

    Tuesday, January 15, 2019 4:54 PM
  • Hi,

    Try below:-
    Open regedit.
    Navigate to the "HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA" key.
    Set the ChangeExpiredPasswordEnabled value from 1 to 0.
    Close regedit.
    Open regedit.
    Set the ChangeExpiredPasswordEnabled value from 0 to 1.
    Close regedit.
    Issue an iisreset at a Command Prompt.  (Half the web says to use "iisreset /noforce" but I've never actually had that reset IIS, so I go for broke and let it use force.)

    If that doesn't resolve then I will suggest to open a ticket with MS to report an issue in RU25.
    Microsoft may suggest if there is bug in RU25 or there is something specific to your environment.
    You can extra tool to generate logs but to read those logs (ETL), tool is required which Microsoft have.

    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    Tuesday, January 15, 2019 5:23 PM
  • I've tried that as of this morning, but it didn't make a difference...  I think @prent's work is pretty conclusive w/r to pointing the finger at this update.

    It seems something has been broken with RU25 and the fact that it is not reversible by backing out of the update is concerning (I was going to try doing this, but I'm not going to bother now given @prent's experience).

    Tuesday, January 15, 2019 6:28 PM
  • I gave this a try as well, and no dice.  Still the same as before.  

    Tuesday, January 15, 2019 6:33 PM
  • The same situation.

    I have 2 servers: Rollup 25 and rollup 20 and the registry settings is ok (1 and under Exchange management)

    Rollup 20  -ok

    Rollup 25 - users can't change their password (says the username or password is incorrect)


    • Edited by Rex777 Wednesday, January 16, 2019 3:38 PM
    Wednesday, January 16, 2019 3:37 PM
  • I've found that I can set the password in the reset interface in exchange and then direct the user to go in and change it after they login, and that does work.  Though, after RU25, selecting the "change on next login" box still always results in a user/pass error.  
    Wednesday, January 16, 2019 7:57 PM
  • +1 for this issue, having to manually reset remote users passwords:(
    Wednesday, January 16, 2019 8:14 PM
  • Hi all,

    I'm trying to submit a feedback on this issue via our internal channel. Will keep you updated once I got confirmed on this.

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, January 17, 2019 10:44 AM
    Moderator
  • Thanks Steve.  Please let us know if there are any details we can provide.
    Thursday, January 17, 2019 6:31 PM
  • Hi,

    Here is solution of this.

    Please follow below:-

    Open IIS manager on OWA server.

    Expand Default web site and click on owa.On right hand panel double click on Modules.

    Under Modules click on Configure native Modules (Actions panel).

    Here select exppw and click ok.

    After that perform a iisrest and perform a test.

    Issue should be resolve after adding exppw module.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.


    Friday, January 18, 2019 4:18 AM
  • I had the same issue. It seems that there is issue with RU25.I followed steps provided by Ashish (Exchange Rocks)  and it resolved my issue.

    Thanks Ashish (Exchange Rocks).

    Friday, January 18, 2019 2:37 PM
  • I can confirm that this worked for us.  Did not need to do an iisreset.  Feature worked as soon as the native module was enabled.

    Thanks Ashish.

    Friday, January 18, 2019 5:41 PM
  • I can confirm Ashish's suggestion above fixes the issue with resetting a password through OWA when AD User and Computers has check-marked "Change password on next login".



    • Edited by Gburner402 Monday, January 28, 2019 6:40 PM
    Monday, January 28, 2019 6:39 PM
  • thank you so much Ashish ... you rocks the exchange mate

    you saved me a lot of time to search and made my day.

    appreciate your massive work mate .. well done.

    Tuesday, March 5, 2019 12:45 PM
  • Saw the same issue two months in a row.  First with RU25 installed last month and then again with RU26 installed this month.

    Does this fix have to be redone after every RU is installed or after every server reboot?


    • Edited by Kalimanne Monday, March 11, 2019 7:28 PM
    Monday, March 11, 2019 7:26 PM
  • Seems that RU is breaking this functionality. It shouldn't be reboot.

    Thanks,

    Ashish

    MCITP, MCT, MCSE

    “Tell me and I forget, teach me and I may remember, involve me and I learn.”

    Note:- Please remember to vote and mark the replies as answers if they help.

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Monday, March 11, 2019 7:29 PM
  • Just installed update rollup 26 and now this fix seems to be unavailable. The check box for exppw has disappeared for OWA and we are no longer able to change password via OWA.

    The fix above worked fine for update rollup 25 last month.

    Can anybody else confirm UR26 has made the problem worse.

    -J

    Monday, March 25, 2019 3:46 PM
  • Hi,

    Go to this location and open applicationhost.config file in notepad.

    c:\windows\system32\inetsrv\config

    Do you see exppw.dll file in that. Note down path and manually check if that file exist in mentioned path.

    Default path is below:-

    C:\Program Files\Microsoft\Exchange Server\V14\Client Access\OWA\Auth\exppw.dll


    Thanks,

    Ashish

    MCITP, MCT, MCSE

    “Tell me and I forget, teach me and I may remember, involve me and I learn.”

    Note:- Please remember to vote and mark the replies as answers if they help.

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Monday, March 25, 2019 4:25 PM
  • I can confirm both are there.

    c:\windows\system32\inetsrv\config\applicationhost.config

    Under <globalModules>...

    <add name="exppw" image="C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\exppw.dll" preCondition="bitness64" />

    Under <modules> ...

    <add name="exppw" preCondition="bitness64" />

    The file exists in C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\

    J

    Monday, March 25, 2019 4:35 PM
  • Hi,

    Try below:-

    Remove the exppw.dll entry from applicationhost.cofig (c:\windows\system32\inetsrv\config) (Note: Remember take a backup before you remove the line.)

    Then registered the exppw.dll by following the below steps:-

    1. Open IIS Manager -> Select the Server Name in the left Pane -> Open Modules in the middle panel.
    2. Click on ‘Configure Native Modules’ in the right pane -> Click the button ‘Register’ -> Type the name as ‘exppw’
    3. Browse and select the path of above file--> c:\Program Files\Microsoft\Exchange Server\V14\Client Access\OWA\Auth\exppw.dll.
    4. Make sure that the 'exppw.dll' is only present at OWA level and not at any of the top hierarchy.
    5. Then ensured for this module in OWA (VDir), ‘Module Type’ is set to ‘Native’ and ‘Entry Type’ is ‘Local’
    6. Run IISreset /noforce


    Thanks,

    Ashish

    MCITP, MCT, MCSE

    “Tell me and I forget, teach me and I may remember, involve me and I learn.”

    Note:- Please remember to vote and mark the replies as answers if they help.

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Monday, March 25, 2019 4:46 PM
  • "Remove the exppw.dll entry"

    I indicated there are 2 entries, one under globalModules and another under modules.

    Do we remove both?

    Tuesday, March 26, 2019 12:19 PM
  • Hi,

    From Global Modules only.


    Thanks,

    Ashish

    MCITP, MCT, MCSE

    “Tell me and I forget, teach me and I may remember, involve me and I learn.”

    Note:- Please remember to vote and mark the replies as answers if they help.

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Tuesday, March 26, 2019 1:09 PM
  • Followed the steps above and there is no improvement.

    Registering the Native Modules from the "server name" seems to install exppw.dll as a native and local module on the root of the server.

    It is inherited by OWA and and indicates it is Native and Inherited.

    Could RU26 have changed this behavior? We were able to do the steps above with RU25 to correct the problem but now we cannot.

    -J

    Tuesday, March 26, 2019 4:33 PM
  • So when you click on OWA virtual directory and open module (Under middle panel), do you see exppw listed.


    Thanks,

    Ashish

    MCITP, MCT, MCSE

    “Tell me and I forget, teach me and I may remember, involve me and I learn.”

    Note:- Please remember to vote and mark the replies as answers if they help.

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Tuesday, March 26, 2019 4:43 PM
  • I do but it is  Native and Inherited 
    Tuesday, March 26, 2019 4:49 PM
  • I will suggest to open a case with Microsoft on this.



    Thanks,

    Ashish

    MCITP, MCT, MCSE

    “Tell me and I forget, teach me and I may remember, involve me and I learn.”

    Note:- Please remember to vote and mark the replies as answers if they help.

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Thursday, March 28, 2019 3:05 PM
  • Discovered the same issue today after going from RU18 to RU26 over the weekend. Followed Ashish instructions to re-add the module in IIS/OWA directory and it is working again.  But have RU27 waiting to be installed for Month of April, is this going to happen again and will the Module disappear on me as said to happen to JWiteLA? I definitely need users to be able to update their own expired passwords as most employees use OWA and not a PC on our network.
    Tuesday, April 9, 2019 9:59 PM
  • Hi,

    I can't say anything on RU27 because it is just released yesterday but I always prefer to do testing in test environment before implementing in production.

    I will test and will share my results, most probably by tomorrow.


    Thanks,

    Ashish

    MCITP, MCT, MCSE

    “Tell me and I forget, teach me and I may remember, involve me and I learn.”

    Note:- Please remember to vote and mark the replies as answers if they help.

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Wednesday, April 10, 2019 12:39 PM
  • Worked for us. Thanks
    Thursday, May 16, 2019 8:24 AM
  • The solution worked.

    Thank you.

    Thursday, June 6, 2019 2:19 PM
  • Worked in my case, thank you!!
    Tuesday, June 18, 2019 2:22 PM
  • worked in my case!  Thank you!!
    Tuesday, June 18, 2019 2:23 PM
  • Many thanks, it solved the same issue here! Thanks!
    Tuesday, September 24, 2019 2:34 PM