|
Home > Archive > IIS Server Security > September 2004 > OWA and change password at logon issue
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
OWA and change password at logon issue
|
|
| Sean M. Loftus 2004-09-08, 5:54 pm |
| I have a Windows 2003 and Exchange 2003 setup with a seperate Exchange FE
configured. I have an SSL Cert installed as well as the change password
feature, and secure communication works fine, including allowing a user to
access the email account and the change password option and successfuly
change their password. The users will only be allowed to access OWA and only
from external sources, they will never connect to our domain in any other way
and should be prompted to change their password as this is an initial load of
8000 users!
However,
When I set the "User must change password at next logon" flag in the users
account properties and try to log in using the UPN I get a "403, access is
denied" message. As soon as I uncheck the flag I can log in with the account.
Also, if I use the netbios version of "domain\username" and password instead
of the UPN it just ignores the change password at next logon flag and lets me
log in and out at will...
Has anyone seen this or had this issue before?
Sean M. loftus
sean(removeme)@loftus.org
Sean M. Loftus
Enterprise Architect
Loftus Consulting
www.LoftusConsulting.com
| |
| Sean M. Loftus 2004-09-15, 10:34 am |
| I figured out part of my problem, I caused part of it myself by putting the
IISADMPWD virtual directory in a different application pool instead of the
exchange application pool.
So I am now redirected to the "Your password has expired. you can change it
now" dialog page when the change password flag on the account is set.
However, when I change the password it directs me to an web page/error page
(seen below) I have not seen before and cannot find in technet or the
knowledge base.
Error Number: -2147023570
If the change password flag is "not" set on the account I can login and go
to options and change my password from within OWA and it works fine.
As always, any help is appreciated...
Thanks,
Sean
"Sean M. Loftus" wrote:
> I have a Windows 2003 and Exchange 2003 setup with a seperate Exchange FE
> configured. I have an SSL Cert installed as well as the change password
> feature, and secure communication works fine, including allowing a user to
> access the email account and the change password option and successfuly
> change their password. The users will only be allowed to access OWA and only
> from external sources, they will never connect to our domain in any other way
> and should be prompted to change their password as this is an initial load of
> 8000 users!
>
> However,
> When I set the "User must change password at next logon" flag in the users
> account properties and try to log in using the UPN I get a "403, access is
> denied" message. As soon as I uncheck the flag I can log in with the account.
> Also, if I use the netbios version of "domain\username" and password instead
> of the UPN it just ignores the change password at next logon flag and lets me
> log in and out at will...
>
> Has anyone seen this or had this issue before?
>
> Sean M. loftus
>
> sean(removeme)@loftus.org
>
> Sean M. Loftus
> Enterprise Architect
> Loftus Consulting
> www.LoftusConsulting.com
| |
| Sean M. Loftus 2004-09-22, 9:26 pm |
| There is a hotfix for this exact issue - KB833734
Details the exact problem of not being able to change password when prompted
at logon or when expired at logon.
Worked like a champ!
Sean
"Sean M. Loftus" wrote:
> I have a Windows 2003 and Exchange 2003 setup with a seperate Exchange FE
> configured. I have an SSL Cert installed as well as the change password
> feature, and secure communication works fine, including allowing a user to
> access the email account and the change password option and successfuly
> change their password. The users will only be allowed to access OWA and only
> from external sources, they will never connect to our domain in any other way
> and should be prompted to change their password as this is an initial load of
> 8000 users!
>
> However,
> When I set the "User must change password at next logon" flag in the users
> account properties and try to log in using the UPN I get a "403, access is
> denied" message. As soon as I uncheck the flag I can log in with the account.
> Also, if I use the netbios version of "domain\username" and password instead
> of the UPN it just ignores the change password at next logon flag and lets me
> log in and out at will...
>
> Has anyone seen this or had this issue before?
>
> Sean M. loftus
>
> sean(removeme)@loftus.org
>
> Sean M. Loftus
> Enterprise Architect
> Loftus Consulting
> www.LoftusConsulting.com
|
|
|
|
|