Monday, February 25, 2008

OWA CHANGE PASSWORD FEATURE IN EXCHANGE 2003




We finally went alive with two FE (front end server) road balanced behind the contend switch. All BE (Back End) server is using these two OWA FE servers from outside. The OWA traffic is being directed to URL, something like this Https://smtp25.org/webmail , this Cname maps to the IP address of the ISA Virtual IP Address. ISA (Proxy) server accepts all the traffic and passes over to inside network. The way we configured ISA, is with two interfaces. One is Public other one is internal interface. When ISA accepts traffic on Port 80, it redirects it to SSL (443) and passes inside network VIP (Virtual IP of the content switch). The Content switch is configured to distribute the traffic in round robin fashion, one session for one server A, second session for server B, third for server A forth for server B and so on. This is where you get the "Road Balance" type of configuration.

Anyway after completing this entire existing task, we realized we forgot to enable "Password Change" future. Now I am writing all the notes I put together to archive the mission with little finding. Creating Virtual directory called "Iisadmpwd" is the first step as shown below. Of course all these little things we do it not required in exchange 2007, because it is all build in, so upgrade to Exchange 2007 whenever is possible (-:

  • Open IIS, click start, Run, InetMGR, and hit enter.
  • In IIS Manager expand SERVERNAME, expand again Web Sites, and then expand Default Web Site.
  • Right-click Default Web site and choose New, then select Virtual Directory.
  • In the Welcome screen click next.
  • In the Virtual Directory window type Iisadmpwd Click Next.
  • In the Website Content Directory screen navigate to %Systemroot%\System32\Inetsrv\Iisadmpwd. Click Next.
  • In the Virtual Directory Access Permissions grant Read, Run Scripts and Execute permissions. Click Next Finish.
  • On the "Iisadmpwd" directory make a right click on go to properties and make sure

    Executive permissions set to "Scripts and executables"

    Application pool "ExchangeApplicationPoll" also one more thing to do. Click on Directory security, Under Authentication and access control, Click edit and make sure only "Basic authentication (password is sent in clear text) is selected.

    Now you need to enable a register key. All you need to do it copy and paste below code into notepad and save as "DisablePassword_to_0.reg", after this double click on the red file to make the changes in the register

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA]

"UseRegionalCharset"=dword:00000001

"DisablePassword"=dword:00000000


PS:
Here is the trick after you have done all the hard work you will have to reset IIS and make sure the information store service is restarted on the BE (back end server) to get this working otherwise you won't see the option change password when you log into OWA.
There is one property in MetaBase: PasswordChangeFlags. The default value in
Windows 2003 (IIS 6.0) is 6.PasswordChangeFlags, Metabase , Property With the value set to 6 u cannot change the password in OWA when the user password expires/Change password at next logon is selected.
You can run the below command on the server to check the value
If everthing is not working, but you are not getting "User must Change password" password expired, you have to run below scripts to get it going on the FE servers, so Click run, cmd, and go to"C:\Inetpub\AdminScripts" directory, use get script first if you get "6" it means prompt for expired password is not allowed, so use the second script to set it to "0" after IISRESET, OWA will happly will prompt you, your password expired and must be changed window.
C:\InetPub\AdminScripts> cscript adsutil.vbs get w3svc\PasswordChangeFlags
Set the value by following command on the server:
C:\InetPub\AdminScripts> cscript adsutil.vbs set w3svc\PasswordChangeFlags 0

KB:833734

Technet2

if there is more problems after this check this link out KB894825

You receive an "Object Required" error message IIS 6.0

To register the file in IIS 6.0, type the following command at a command prompt:

regsvr32 c:\windows\system32\inetsrv\iisadmpwd\iispwchg.dll

Best,

Oz ozugurlu

Systems Engineer
MCITP (EMA), MCITP (SA),
MCSE 2003 M+ S+ MCDST
Security Project+ Server+
oz@SMTp25.org
http://smtp25.blogspot.com (Blog)

14 comments:

William said...

Do you apply this settings to EFE and EBE in order for it to work.

Oz Ozugurlu said...

William, No this can be set on one server as well
oz

Will said...

I did everything on the the front end and everytime I try to change password it gives me an error.

Either the password is too short or password uniqueness restrictions have not been met.


Thanks.

Oz Ozugurlu said...

Will check this out to see if this remedies your problem
http://support.microsoft.com/kb/827614
best
oz

Will said...

Oz,

Thank you for everything that link really help I went and change from 1 to 0 and everything is working. As soon as I saw the OWA change password feature in exchange 2003 in you blog I said to myself let us implement that. Again thank you very much Oz.

Will,

Your student.

Oz Ozugurlu said...

Will I am very happy to hear that it did work, great work (-:

take care
oz

Oz Ozugurlu said...

Problem:
Users are not getting prompted to change their password , when they loginto OWA, this is FE, BE server environment with ISA 2004 front end
Users Receiveing
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL).
Contact the server administrator. (12202)

Go to your ISA Server and include the path in my ISA 2004
OWA rule to /IISADMPWD/*.

This will permit password requests through to the IISADMPWD virtual directory

Anonymous said...

Thanks for the article. It worked as you said with the same types of problem. Except I got stuck on Error Number: 5 for users that had their passwords expired or password set to change at next logon.

After struggling to find a solution called up Microsoft and the engineer gave a quick fix.


-The page that is displayed uses HTTPS even though SSL is not enabled on the website. This is because SSL is on the content switch which does the actual redirection.
-So first changed the metabase key passwordchangeflags to 0. The command to do this is cscript.exe adsutil.vbs set w3svc/passwordchangeflags 0. The value 0 indicates that SSL is required
-Now since SSL is not on the website level, setting this metabase key will throw up an error indicating SSL required
-To remove the error modified a "aexp.asp" page and remove the section < %'W3CRYPTCAPABLE till < %end if% >
-Restart IIS and test the functionality.

Worked like a charm.
Thanks again.

Gendo Ikari said...

This is why I love the internets.

Thanks Oz. This article saved us a bunch of time.

Anonymous said...

Oz Ozugurlu - Thanks!

Thanks for this, looked long and hard for a fix.. I was implementing the change on SBS 2K3 premium and the ISA fix finally resolved.

/IISADMPWD/*

Set them same as external path

On OWA rule.

Matt said...

Hey Oz,
I have ISA server that connects to our FE servers and then to BE servers.
I have put in the configurations for BE servers so that i can just test it inside the network before implementing it throughout.

when I hit change password, it comes back with internet explorer cannot display the webpage. anything i should look into?

Matt

Anonymous said...

Awesome!

This took ages to find, I had it all working except for the dll registration! This also solves the:
"The specified domain or account did not existst" error

Thanks

Rush1976 said...

have any one know how to set the change password from the logon screen :
thanks

Rush1976 said...

have any one know how to setup change password on the logon screen on owa ?

thanks