The New Exchange 2007 SP3 Password Reset Tool

Monday, June 28, 2010
Exchange Server 2007 Service Pack 3 includes a handy new web page that allows users to change their password before logging into Outlook Web Access (OWA).

Previously, new users who are required to change their password at next logon or users whose password has expired cannot log on to OWA.  They will get the less than helpful error from the OWA, "The user name or password that you entered is not valid. Try entering it again", as shown below:

 
In order to logon to OWA, the user must logon to the network, enter their old password and the new password.  Obviously, this causes problems for remote users whose password has expired or for new users who must change their password before logging in for the first time.

Exchange 2007 SP3 introduces a new SSL web page for these users that allows the user to change their password outside of OWA.  The page tells the user, "Your password has expired and you must change it prior to signing in to Microsoft Outlook Web Access."

 
Once the user changes their password, the page redirects the user back to OWA.

This new functionality is not enabled by default, since some organizations do not allow password changes from outside the internal network.  To enable it:
  • Logon to the CAS with administrator rights
  • Run Regedit and navigate to HLKM\SYSTEM\CurrentControlSet\services\MSExchange OWA
  • Create a new DWORD (32-bit) Value called ChangeExpiredPasswordEnabled
  • Assign the ChangeExpiredPasswordEnabled value: 1
  • Restart IIS using IISRESET /NOFORCE from the command line
Word is that Microsoft will implement the password reset tool for Exchange Server 2010 when Exchange 2010 SP1 is released.  It's a pretty handy feature!

30 comments:

  1. Hi any idea how to enable this feature if OWA is published at ISA?

    ReplyDelete
  2. URL redirection to the password reset tool is performed in Exchange by the logon.aspx page. However, the logon.aspx page is compiled into a DLL in ISA, so unless Microsoft releases a new DLL you won't be able to take advantage of the automatic redirection.

    The two options you have are:

    1. Publish a new website in ISA for https://mail.contoso.com/auth/expiredpassword.aspx and instruct your users to go there for password resets

    2. Republish OWA like a standard website rather than OWA so you bypass the ISA DLL. I don't recommend this option, since it reduces security.

    ReplyDelete
  3. Hi Jeff,

    Thank you very much for the post. This should have been available a long time ago, but anyway!...
    Have you tried this on Exchange 2010 SP1? It was suppose to work exactly the same way with the exact same change as you showed (I saw another post where the guy followed the procedure described here on an Exchange 2010 SP1 environment and it worked fine!) but for me nothing happens...
    I haven’t tried it on Exchange 2007 SP3 though... Any thoughts?
    Thanks for sharing again!

    Best regards,
    Nuno

    ReplyDelete
  4. Hi Nuno,

    It won't work on any other SP level of Exchange, since it's making fundamental changes to the way the Outlook Web App logon page works.

    On a side note, I've confirmed that this password reset utility will be made available for Exchange 2010 in the next update.

    ReplyDelete
  5. Hi ,

    Users having a problem logging into webmail for the first time because of the option to change password at next logon. when I removed the requirement to change password at next logon then immediately gained access to his webmail account. The user does not login into a workstation on the network; he only accesses webmail with his username and password. We have several users that do not log into a computer with their own credentials and only log into webmail. How can we resolve the problem of forcing a password change at first logon while still allowing the user to log into webmail the first time.

    I have Exchange 2007 with SP2 and Win2008 server.

    Regards,

    Geejay

    ReplyDelete
  6. gopinath,

    Upgrade to Exchange 2007 SP3. This is the exact scenario that the new password reset tool addresses.

    ReplyDelete
  7. Hey...jeff

    thanks its get fixed ...thanks once again

    --Geejay

    ReplyDelete
  8. Jeff,

    Thanks for the great post. However, can this now work without publishing OWA through ISA 2006? We're not running ISA 2006, so after moving to 2k7, our users can't reset their passwords thru OWA any longer.

    ReplyDelete
  9. The password reset tool has no requirement for ISA 2006. As a matter of fact, I'm not entirely sure it will work with ISA, since ISA uses a DLL instead of the normal ASP pages that OWA provides.

    ReplyDelete
  10. My OWA login page is configured to ask for and accept the user's email address (UPN) instead of the domain\username or username alone formats. However the password reset tool requires domain\username format, which is confusing to most users. Is there any way to change this?

    ReplyDelete
  11. No, sorry. The reset tool requires domain/username format.

    ReplyDelete
  12. With SP3, it is possible to edit the password change (asp) page to simply redirect to a secondary web based password reset tool? I have a solid tool that supports my employees password resets and I would like to avoid any confusion the new "method" provides...

    ReplyDelete
  13. For ISA you can probably customize the fba login page using the following directions and then edit the strings.txt file and add the link to the password reset page in the "L_Copyright=" setting (or wherever you would like. here are some links that should help.

    http://www.isaserver.org/articles/2004custfba.html

    http://geekswithblogs.net/ksellenrode/archive/2008/12/31/128271.aspx

    ReplyDelete
  14. Hi Jeff,

    A HUGE piece of missing infomation here and through out the web is that this new password change functionality doesn't work with W2K3 IIS6. It only works on W2K8 and IIS7. This was a pain to figure out. PSS doesn't even know this...

    ReplyDelete
  15. Is that true? Is there no way to enable the password reset for Exch 07 users on an 03 server? That's just unbelievable. MS kb indicates that it will work with IIS 5 and 6 here http://support.microsoft.com/kb/297121/en-us Although, at the same time, it fails to indicate that this is only available in Exch 07 SP3. If this is truly the case, then I'd like to know what password reset tool Matt from above is using.

    ReplyDelete
  16. Ryan,

    Yes, you can reset your password in OWA 2003/2007SP2, as long as you're logged in. However, you cannot log into OWA with those versions until you've logged into the network and Exchange from an Outlook client the first time.

    Also, if you're password has been reset and requires you to change it before logging in, you cannot do that from OWA 2003/2007SP2.

    The purpose of the OWA 2007 SP3 password reset tool is to allow users to change their password BEFORE they login to OWA.

    ReplyDelete
  17. So, to make sure I understand you correctly, this new addition to Exchange 07 SP3 allows the password change/reset even on a Windows 2k3 server? I ask this because "atkscott" commented above that this will not work on Windows 2k3 (due to the fact that it is running IIS 6 instead of IIS 7).

    ReplyDelete
  18. I have only tested it myself on Windows Server 2008 R2. Sorry.

    ReplyDelete
  19. @Ryan

    This evening I tested this on a Server 2003 R2 box with Exchange 2007 SP3 and everything appears to be working on my end.

    ReplyDelete
  20. Awesome! Very good to know. I just updated to SP3, so I'll be getting that setup soon.

    ReplyDelete
  21. Has anyone comfirmed the tools availability in Exchange 2010?

    ReplyDelete
  22. Yes, I have confirmed it works in Exchange 2010 Service Pack 1 (SP1).

    ReplyDelete
  23. Hi Jeff,
    We have E2K7 c/ SP3 on W2K8 and the password reset tool runs as expected when using OWA.
    However, if any of our clients are using OWA light it does not work. Instead of redirecting them to the password reset page, it allows them to login and displays within OWA light that there password will expire today and they must change it.
    Is it possible for the password reset tool to work on OWA light?
    Thanks Matt

    ReplyDelete
  24. This tool no accept UPN suffix.

    ReplyDelete
  25. If the flag is set on a user’s object to “User must change password at next logon”, it appears it lets them login and just displays the “Your password will expire today. Would you like to change it now” dialog box. Is this correct, I would have thought it would take them into the password reset tool before allowing them into there email.

    ReplyDelete
  26. In Exchange 2010 SP1 UR3, the user is unable to login at all to OWA if I reset the password with "User must change password at next logon" checked. I assume this is because the password did not technically expire. I don't have an Exchange 2007 environment to test this on.

    ReplyDelete
  27. Hi Guys,
    We have AD server 2008 R2 and Exchange 2010 sp1 integrated. when the password is changed at OWA, does this change the AD password for the user as well?

    ReplyDelete
  28. The passwords are one and the same.

    Jeff

    ReplyDelete
  29. Please assist with adding this functionality to Exch2007SP3 on Win2k3R2...

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.