locked
ActiveSync can sync 6 hours after changing password in AD before client asks for new credentials RRS feed

  • Question

  • Hi,

    Title says most of it. I can explain how its set up.
    One ISA Server 2006 Enterprise -> two HUB/CAS servers -> CCR Mailbox Servers 

    It is a very critical bug. I can change password in AD many times. And ActiveSync device can recive and delete mail for 6 hours with old password.

    OWA do not allow log on after changing password.

    Thanks for any help.

    Best regards
    Joachim Løe
    Senior IT Consultant
    www.crayon.no
    Wednesday, April 22, 2009 6:29 AM

Answers

  • Hello Joachim,

    Please set the value to "1" as I mentioned above and try again. Could you let me know if you can reproduce the issue on another account and if you are using a client certificate based authentication?

    You mentioned you're working with a premier support, I think you should go on working close with him/her due to the issue's complication. At the same time, could you send me the case number? I could review the case to obtain more information.

    I will update the thread if I got any.

    Thanks,

    Elvis
    • Marked as answer by Joachim Loee Wednesday, April 29, 2009 12:24 PM
    Monday, April 27, 2009 6:56 AM

All replies

  •  

    Hi Joachim,

    The issue can be caused by the IIS cache or AD replication problem. Please understand IIS does cache the credentials, until that time the user can log on to his/her mailbox with either the old password or the new password. However, if the user uses a MAPI client (such as Microsoft Outlook, OWA) to access the mailbox or if the user attempts to access other files and resources, the user is only authenticated if he or she uses the new password. This latency exists by design for Internet Information Server (IIS) performance reasons, and is controlled by the following registry setting:

    1.Start Registry Editor (Regedt32.exe) on the CAS server.

    2.Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters

    3.On the Edit menu, click Add Value, and then add the following registry value:
    Value Name: UserTokenTTL
    Data Type: REG_DWORD
    Value Range: 1 (decimal) (NOTE: This unit is in seconds.)

    4. Quit Registry Editor and restart IIS by running “IISreset /noforce”.

    5. Repeat the same steps on another CAS server.

    Related KB:

    Changing the Default Interval for User Tokens in IIS
    http://support.microsoft.com/kb/152526

    However, if the issue persists, please let me know if you can reproduce the issue on another account and if you are using a client certificate based authentication.

    Hope this helps. Thanks,

    Elvis

    Thursday, April 23, 2009 9:21 AM
  • Hi Elvis,

    Thanks for taking your time,

    I have tried this fix with microsoft premier support with no luck.
    Instead ActiveSync have now started to ask users for credentials every 5-10 minutes on cell phone. doh.
    Even if it askes for credentials it will accept the old password.

    I'm thinking if this was a AD replication problem OWA and MAPI clients should have the same error.

    When inserting UserTokenTTL on both cas servers i was told to put it to 5 minutes (in seconds) and when this credential problem apperared i put it back to default 15 minutes (in seconds). But still it askes for credentials.

    Hope this explains something.

    /Joachim
    Best regards Joachim Løe Senior IT Consultant www.crayon.no
    Friday, April 24, 2009 5:57 AM
  • Hello Joachim,

    Please set the value to "1" as I mentioned above and try again. Could you let me know if you can reproduce the issue on another account and if you are using a client certificate based authentication?

    You mentioned you're working with a premier support, I think you should go on working close with him/her due to the issue's complication. At the same time, could you send me the case number? I could review the case to obtain more information.

    I will update the thread if I got any.

    Thanks,

    Elvis
    • Marked as answer by Joachim Loee Wednesday, April 29, 2009 12:24 PM
    Monday, April 27, 2009 6:56 AM
  • Hi, Sent you the case number.

    This error is on all users that use ActiveSync protocol. Not using certificate based authentication.
    It did not help to put it to 1 and restart IIS Service.

    It varios between 2-6 hours before device askes for new credentials after changing password.
    I've checked all domain controllers for replication errors with Replmon and there are no faults.
    If i try syncing with another device with the same user and the new password, the other device will react and ask for new credentials.

    Thanks.

    Best regards Joachim Løe
    Tuesday, April 28, 2009 8:17 AM
  • It finally startet working. Now it works to good. :)
    It takes 1 minutt then i akses for password.

    I have schedule down time today and going to set it to 5 minuts and boot the servers, and hope that they still work.

    Thanks for your help.

    Best regards Joachim Løe
    Wednesday, April 29, 2009 12:28 PM
  • Joachim,
    Did you need to reboot to have this take affect or will the IIS restart suffice? I am having the same issue but the lengths of time vary upto 24 hours. Does this change affect OWA at all? When you said it was prompting users every 5 minutes was that only for users that needed to change their password at the time. What was your final setting in the registry?
    Also if you take the registry key will it return to original behavior.
    Thanks,
    Ernest Pavon
    Friday, May 1, 2009 4:35 PM
  • I'm sorry for late answer.

    - But the setting was DWORD "UserTokenTTL" with the value of 5 minuts (Decimal)

    MS says you only need to restart the IIS Service and all its dependecy's.
    But i booted many time befor my solution worked.

    No affect on OWA. The reason that every device started asking for credentials every 5 min was a change on the ISA rule :S.

    Hope this will help you.
    Best regards Joachim Løe
    Monday, May 25, 2009 12:34 PM
  • I'm sorry for late answer.

    - But the setting was DWORD "UserTokenTTL" with the value of 5 minuts (Decimal)

    MS says you only need to restart the IIS Service and all its dependecy's.
    But i booted many time befor my solution worked.

    No affect on OWA. The reason that every device started asking for credentials every 5 min was a change on the ISA rule :S.

    Hope this will help you.
    Best regards Joachim Løe

    So does this mean, the resolution is to make the registry change listed above with 5 minutes on the IIS (CAS) servers and then reboot the server?
    Wednesday, October 28, 2009 9:09 PM
  • My client presently has symptoms similar to the ones described above.  I would appreciate clarification as to the process used to resolve this, if anyone can spare the time to detail exactly what it was that fixed it.

    I have applied the regkey

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters\UserTokenTTL = 180

    and done an IISReset for this to take effect, but am not seeing any change in behavior on my ActiveSync client devices.  Do I need to go a step further than IISReset and give the entire server a restart?

    Thanks,

    Nathan

    (Joachim: Usually when I conclude a case with Microsoft Support, they provide a problem/solution summary in email.  If you still have that, and can post it here, that would be very much appreciated).

     

    Sunday, July 3, 2011 12:46 PM
  • Does anyone have clear instructions on how to fix this please?
    Monday, June 4, 2012 4:28 PM
  • on Exchange 2010 SP3 RU18

    The key value of UserTokenTTL should be set to "1" will fix this problem on EAS device.

    Others value seems not work for me. I've try "30" & "10" until I found this article. 


    Johnny_Yao

    Friday, September 8, 2017 6:37 AM