Microsoft KB Archive/327134

= HOW TO: Use the Change Password Feature in Outlook Web Access =

PSS ID Number: 327134

Article Last Modified on 3/26/2004

-

The information in this article applies to:


 * Microsoft Exchange 2000 Server
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange Server 5.5 SP1
 * Microsoft Exchange Server 5.5 SP2
 * Microsoft Exchange Server 5.5 SP3
 * Microsoft Exchange Server 5.5 SP4

-



This article was previously published under Q327134





IN THIS TASK

 * SUMMARY
 * ** IISAdmPwd Virtual Directory and &quot;PasswordChangeFlags&quot;
 * Create the IISADMPWD Virtual Directory
 * Secure Sockets Layer (SSL)
 * Require SSL on a Virtual Directory
 * Usage Scenarios
 * *** Exchange 2000 in Front-End/Back-End Configuration
 * Exchange 2000 on a Cluster Server
 * Troubleshooting



SUMMARY
This step-by-step article describes how to configure and use the change password feature in Exchange 2000 Server Outlook Web Access (OWA). This article also describes some of the common scenarios in which to use this feature.

IISAdmPwd Virtual Directory and &quot;PasswordChangeFlags&quot;
The change password feature is provided by Microsoft Internet Information Services (IIS), and it is not specific to Exchange. The change password feature in IIS is implemented through the IISADMPWD virtual directory. In IIS 5.0, you must manually create and configure this virtual directory. By default in IIS 4.0, this virtual directory is created. Regardless of the version of IIS that you use, you must manually create this virtual directory if you want to run OWA under a Web site other than the default Web site.

back to the top

Create the IISADMPWD Virtual Directory
To create the IISADMPWD virtual directory:  Start the IIS Microsoft Management Console (MMC) snap-in, right-click the Web site in which you want to create the virtual directory, point to New, and then click Virtual Directory. In the Virtual Directory Creation Wizard, click Next, type IISADMPWD in the Alias box, and then click Next. In the Directory box, type :\winnt\system32\inetsrv\iisadmpwd where   is the drive on which Windows is installed, and then click Next. Click to select the following check boxes (if they are not already selected):

Read

Run scripts (such as ASP)

 Click Next, and then click Finish. Make sure that anonymous access authentication is enabled for the IISADMPWD virtual directory. Although you can also select other authentication types, anonymous access authentication must be enabled.

NOTE: If you do not enable anonymous access authentication, the client and server enter an endless loop when an attempt to authenticate users who are prompted to change an expired password occurs. For example, if a user with an expired password views the Web site and is prompted for a password, the first page that they tried to access redirects them to the password expiry page. The password expiry page challenges the user, but because the user is not authenticated on the first page (because of the expired password), the second page refuses the connection. When this occurs, the user is redirected back to first page, where the process reoccurs.</li> Set the PasswordChangeFlags value to 0 (zero). To set the PasswordChangeFlags value in the metabase: <ol style="list-style-type: lower-alpha;"> At a command prompt, change to the Inetpub\Adminscripts folder.</li> Type adsutil.vbs, and then press ENTER.

NOTE: If this is the first time you have run Adsutil.vbs, you may receive a &quot;This script does not work with WScript&quot; message. Click OK, click Yes to register CScript as the default host for VBscript, and then click OK on the message that states that CScript was registered successfully. Run the Adsutil.vbs command again. Instead of registering CScript, you can prepend cscript to any adsutil.vbs command. For example, cscript adsutil.vbs set w3svc/1/PasswordChangeFlags [value] .</li>  Type the following command, and then press ENTER

adsutil.vbs set /PasswordChangeFlags

where  is one of the following numeric values <pre class="fixed_text">Value    Description

0      Password changing requires SSL.

1      Password changing is permitted on non-secure ports.

2      Password changing is disabled.

3      Password changing is disabled. This is undocumented.

4      Advance notification of password expiration is disabled. and  is the default Web site. </li></ol>

The following sample command shows how to change the metabase PasswordChangeFlags setting to 0:

cd c:\inetpub\adminscripts >adsutil.vbs set w3svc/1/passwordchangeflags 0

</li></ol>

back to the top

Secure Sockets Layer (SSL)
Use SSL to secure communications between clients and OWA. You must do so if you want to use the change password feature through OWA. The password-changing process makes it possible to send both the old and the new password in clear text.

To configure SSL, you must obtain a server certificate for the Web server. You can use Microsoft Certificate Services 2.0 (included with Microsoft Windows 2000) to sign a server certificate that can be used by IIS to enable SSL. For additional information about how to obtain and install an SSL certificate, view the following IIS help files: <ul> Obtain an SSL Certificate:

http://localhost/IISHelp/IIS/htm/Core/iiocrsc.htm

</li> Configure SSL:

http://localhost/IISHelp/IIS/htm/Core/iisslsc.htm

</li></ul>

For additional information about how to use certificates with IIS, click the article numbers below to view the articles in the Microsoft Knowledge Base:

228821 Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0

228836 Installing a New Certificate with Certificate Wizard for Use in SSL/TLS

back to the top

Require SSL on a Virtual Directory
To require the use of SSL when a virtual directory is used:
 * 1) Start the IIS MMC snap-in, right-click the virtual directory for which you want to require SSL, and then click Properties.
 * 2) Click the Directory Security tab, and then click Edit under Secure communications. This button is unavailable (dimmed) if the Web server does not have a certificate assigned.
 * 3) Click to select the Require secure channel check box, click OK, and then click OK.

back to the top

Usage Scenarios
In Internet Information Services (IIS) 4.0 and in IIS 5.0, the change password functionality is handled through the Ism.dll Internet server API (ISAPI) extension. This component is removed from IIS 5.1 and from IIS 6.0, and the change password functionality is modified to use ASP pages. You can download a software update that enables this functionality on computers that are running IIS 5.0 on Microsoft Windows 2000 Server Service Pack 3 (SP3) or later or on computers that are running Microsoft Windows NT 4.0 Server Service Pack 6a.

Note This software update has been tested and approved for use with Microsoft Exchange Server 5.5 Outlook Web Access and with Exchange 2000 Server Outlook Web Access. Because Outlook Web Access references these files by using an .htr extension, if you manually rename these files, Outlook Web Access cannot use the change password functionality. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

331834 IIS: Change password functionality replaced with Active Server Pages

Exchange 2000 in Front-End/Back-End Configuration
If you use a front-end server, you must configure the IISAdmPwd virtual directory and SSL on the front-end server or on each front-end server if there are more than one. The only case where you configure this directly on a back-end server is if users can use mailboxes by using OWA on their back-end server directly, and also change their password.

In this case, use the Require secure channel check box in the security of the virtual server carefully. This is important because a front-end server cannot communicate with a back-end server over SSL. Specifically, do not require SSL on the Exchange, Public, ExchWeb, Exadmin, or on any Mailbox or Public Folder virtual roots on the back-end server. You can require a secure channel on the IISAdmPwd virtual directory.

back to the top

Exchange 2000 on a Cluster Server
If you use a front-end server and a back-end cluster server, you must configure the IISAdmPwd virtual directory and SSL on the front-end server or on each front-end server if there are more than one. The only case to directly configure this on a back-end Cluster server is if users can directly change their password on the back-end cluster server. This also must be configured on the back-end cluster server if there is no front-end server.

back to the top

Troubleshooting
When you type your account information in the Aexp.htr page or in the Aexp.asp page, you must type your credentials in the \  format. For additional information about how to troubleshoot Change Password-related issues in Outlook Web Access, click the following article numbers to view the articles in the Microsoft Knowledge Base:

321582 The Outlook Web Access Change Password Option Does Not Function

297121 How to Hide the Change Password Button on the Outlook Web Access Options Page

315579 'HTTP Error 403' Error Message When Password Changed with OWA or Iisadmpwd

267568 XWEB: Old Password Still Works After You Change It Through Outlook Web Access

309508 XCCC: IIS Lockdown and URLscan Configurations in an Exchange Environment

back to the top

Additional query words: fe be

Keywords: kbHOWTOmaster KB327134

Technology: kbExchange2000EntServ kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchange550SP1 kbExchange550SP2 kbExchange550SP3 kbExchange550SP4 kbExchangeSearch kbZNotKeyword2

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.