Microsoft KB Archive/297121

= Implementing the Change Password feature with Outlook Web Access =

Article ID: 297121

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q297121







Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
This article discusses how to implement the Change Password feature in Microsoft Outlook Web Access (OWA) to allow OWA users to change their domain passwords. This article also describes some of the common troubleshooting scenarios where you might use this feature.

The Change Password feature is provided by Microsoft Internet Information Services (IIS). The Change Password feature is not specific to Microsoft Exchange Server. This feature in IIS is implemented through the IISADMPWD virtual directory. In Microsoft IIS 5.0 and in Microsoft IIS 6.0, you must manually create and configure this virtual directory. In Microsoft IIS 4.0, this virtual directory is created by default, but it must be manually configured.



MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

How to configure the IISADMPWD virtual directory
A Secure Sockets Layer (SSL) certificate is required to use the Change Password feature with Outlook Web Access. This is true for all versions of Exchange Server. When you use the Change Password feature with SSL, the communication is encrypted. OWA uses HTTPS requests to access the Change Password feature.

To configure SSL, you must obtain a server certificate for the Web server. You can use Microsoft Certificate Server or a third-party certificate server. You obtain a Web server certificate that IIS uses to enable SSL. For additional information about how to obtain and install an SSL certificate, view the following IIS Help topics:
 * Obtain an SSL Certificate
 * Configure SSL

For more information about how to use certificates with IIS and with Exchange Server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

228821 Generating a certificate request file using the Certificate Wizard in IIS 5.0

228836 Installing a new certificate with Certificate Wizard for use in SSL/TLS

234022 Configuring Exchange OWA to use SSL

320291 Turning on SSL for Exchange 2000 Server Outlook Web Access

823024 How to use certificates with virtual servers in Exchange Server 2003

Note If you are using Exchange front-end servers in your environment, SSL should only be enabled on these servers. In a single-server environment, SSL needs to be enabled on the Exchange server itself.

The following values are options for the PasswordChangeFlags setting:
 * 0: Requires password change by SSL
 * 1: Allows password change by non-secure ports
 * 2: Disables password changes

If you are using an off-loaded SSL configuration, an SSL accelerator, you can change this value to &quot;1.&quot; To do so, follow these steps:  On the IIS/OWA server, click Start, click Run, type cmd, and then click OK.  At the command prompt, type the following command, and then press the Enter key. cd \:inetpub\AdminScripts

For example: cd c:\inetpub\AdminScripts   The command prompt returns. Now, type the following command:

adsutil.vbs set w3svc/passwordchangeflags 1

The value &quot;1,&quot; per the list that was provided earlier in this article, allows the Change Password functionality by using non-secure ports. 

Before configuring the Change Password feature, make sure that the following fixes have been applied to all Exchange servers: <ul> For Windows 2000 (All versions of Exchange)

831047 FIX: You experience various problems when you use the Password Change pages in IIS 5.0

</li> For Windows 2003 (All versions of Exchange)

833734 FIX: You experience various problems when you use the Password Change pages in IIS 6.0

Note The files from this hotfix are included in Microsoft Windows Server 2003 Service Pack 1 (SP1).</li></ul>

To configure the IISADMPWD virtual directory, do the following:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
 * 2) Right-click the default Web site, point to New, and then click Virtual Directory.
 * 3) In the Virtual Directory Creation wizard, type IISADMPWD in the Alias box, and then click Next.
 * 4) In the Directory box, type :\winnt\system32\inetsrv\iisadmpwd or the location where your hard disk is your default hard disk, and then click Next.
 * 5) Verify that only the Read and Run script check boxes are selected, such as the ASP check box, click Next, and then click Finish.
 * 6) Verify that the IISADMPWD virtual directory has only basic authentication set and, if you use Windows 2003/IIS 6.0, verify that the application pool is set to ExchangeApplicationPool.

In Internet Information Server (IIS) 4.0 and in Internet Information Services (IIS) 5.0, the Change Password functionality is handled through an ISAPI extension, Ism.dll. This component has been removed from Internet Information Services versions 5.1 and 6.0, and the Change Password functionality has been modified to use Active Server Pages (ASP). A package that can be downloaded has been created to deliver this ASP functionality for servers that are running IIS 5.0 on Microsoft Windows 2000 Server Service Pack 3 (SP3) or for servers that are running IIS 4.0 on Microsoft Windows NT 4.0 Server Service Pack 6a (SP6a).

Note This package has been tested and it has been approved for use with Microsoft Exchange Server 5.5 and with Exchange 2000 Server Outlook Web Access. Because OWA references these files with an .htr extension, if you manually rename the files, OWA cannot use the change password functionality. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

331834 Change password functionality replaced with Active Server Pages

Enable and hide the Change Password button in Outlook Web Access
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note This registry value must be enabled on both front-end and back-end servers.

For Exchange 2000 Server and for Exchange Server 2003, you can use the registry to show or hide the Change Password button. To do this, follow these steps.  Start Registry Editor, and then locate the following registry key: </li> If an OWA key is not present under MSExchangeWeb, click the Edit menu, click New, and then click Key to add a new key named OWA.</li>  Locate the DisablePassword value and change the data to &quot;0.&quot; If this value is not present, click the Edit menu, click New, click DWORD_Value to add the following value to the OWA registry subkey if you want the Change Password button to appear: <pre class="fixed_text">Value name: DisablePassword Value type: REG_DWORD Data: 0 If you want to hide the Change Password button, change the DisablePassword value data to &quot;1.&quot; </li> Stop and then restart the Exchange Information Store Service and the IIS Admin Service. This stops and restarts the World Wide Web Publishing Services (W3SVC). In an Exchange 2000 Server environment, restarting the IIS Admin Service restarts the Microsoft Exchange System Attendant and the Microsoft Exchange Information Store.</li> Make sure that you all the dependent services that you require are restarted, such as IMAP4, POP3, Microsoft Exchange Routing Engine, W3SVC, MTA Stacks.</li></ol>

To remove the Change Password button in Outlook Web Access for Exchange Server 5.5, follow these steps :  Locate the Constant.INC file. This file is typically found in the Exchsrvr\Webdata\USA (or language required) directory on the Outlook Web Access server.</li>  Under the Administrative Settings section, and then locate the following line: <pre class="fixed_text">fEnablePasswordMenu=True </li>  Replace this line with the following text: <pre class="fixed_text">fEnablePasswordMenu=False </li> On the File menu, click Save, and then close the file.</li> To verify, start the Internet browser on the Outlook Web Access server. The Change Password button no longer appears.</li></ol>

Exchange 2000 in front-end and back-end configurations
If you use a front-end server, you must configure the IISADMPWD virtual directory and SSL on the front-end server. If there are multiple front-end servers in your environment, SSL and the IISADMPWD virtual directory must be configured on each server.

Note The only case where configuring this feature is recommended on a back-end server is in a single Exchange Server environment. In this environment, Internet users access Outlook Web Access on the back-end server directly.

However, if a front-end server is used and you want to enable this feature on the back-end Exchange Server computers, be cautious in how you implement SSL requirements on the back end. Specifically, make sure that you do not require SSL on the Exchange, Public, ExchWeb, Exadmin virtual directories, or on any Mailbox or Public Folder virtual roots on the back-end server. If this is set, the front-end server cannot communicate with a back-end server.

Microsoft requires SSL on the IISADMPWD virtual directory.

While the Change Password feature is independent of Outlook Web Access, it must be implemented on the server that the client interacts with directly. This server is typically the front-end server. However, the Change Password URL that OWA exposes on the Options page is generated on the back-end server. Therefore, the file extension that is .htr or .asp is dictated by the version of IIS on the back-end server rather than the file set that exists on the front-end server. A “Page not found” or 404 error may occur when a user attempts to change their password through OWA. This issue is described further later in this article.

The following table lists the file to be referenced. The table is based on the version of Windows on the back-end server:


 * When the back-end server is Windows 2000 (IIS 5.0) and the front-end server is Windows 2003 (IIS 6.0), users who attempt to change their password through Outlook Web Access (OWA) will get a 404 or a “Page not found” error message in their browser. This error message appears because the URL that is generated by the back-end server points to the Aexp2b.htr file. However, this file does not exist by default on a Windows 2003 front-end server. Therefore, you must copy the appropriate set of files to the front-end server and configure the front-end server to handle these files correctly.

To do this, follow these steps:   At the command prompt on the front-end server, change to the %windir%\system32\inetsrv\IISADMPWD directory. Type the following: <pre class="fixed_text"> copy Aexp2b.asp Aexp2b.htr </li> <li>Add a Script Mapping for the .htr extension on the front-end server. <ul> <li>In the ISM browse to the IISADMPWD virtual directory that you created, right-click to select the properties.</li> <li>On the Virtual Directory tab, click Configuration.</li> <li>On the Mappings tab, click Add.</li> <li>Add a Script Mapping with the following criteria:

Executable: %windir%\system32\inetsrv\asp.dll

Extension: .htr

Limit to: GET,POST

Leave “Script engine” and “Verify that file exits” checked.</li></ul> </li></ol>

This is similar to the issue that is mentioned earlier in this section. However, in this particular case, the Windows 2003 back-end server pushes a URL that ends in Aexp2b.asp that does not exist on the Windows 2000 front-end server. The solution is to copy the appropriate set of files to the front-end server as follows: <ol> <li>From a command prompt on the front-end server, change to the %windir%\system32\inetsrv\iisadmpwd directory</li> <li> Type the following command: <pre class="fixed_text">copy Aexp2b.htr Aexp2b.asp

Note For this solution to work Windows 2000 SP4 must be applied to this server prior to performing the copy command that is described earlier in this section. </li></ol>

Note The steps are the same for clustered Exchange servers. When front-end servers are in use with an Exchange cluster, no configuration is necessary on the cluster itself.

Troubleshooting
This section contains some common troubleshooting scenarios for issues that can occur by using the Change Password feature of Outlook Web Access. <ul> <li>We recommend that you view the following articles:

831047 You experience various problems when you use the Password Change pages in IIS 5.0

833734 You experience various problems when you use the Password Change pages in IIS 6.0

</li> <li>When you create the IISADMPWD virtual directory, make sure that the following permissions are enabled:

Read

Run Scripts (such as ASP)</li> <li>When you type your account information in the password change page, you must type your credentials in the domain \ username format.</li> <li>In mixed Windows 2000 Server and Windows Server 2003 environments, you may receive an “HTTP 404 – File Not Found” error message when you try to change your password. The behavior occurs because Windows 2000 and IIS 5.0 use .htr files for the Change Password functionality. Make sure that you have updated your Windows system running Outlook Web Access to use ASP pages in the manner that is described in the following Microsoft Knowledge Base article

331834 Change password functionality replaced with Active Server Pages

To work around this issue, do the following: <ol> <li>Copy the appropriate files from the operating system that your front-end server is not running to the IISADMPWD folder on your front-end server. The IISADMPWD folder is located in the following folder: %SystemRoot%\System32\Inetsrv\IISADMPWD To copy the files from the other operating system, use one of the following methods, depending on your situation: <ul> <li>At a command prompt, locate the IISADMPWD folder (%SystemRoot%\System32\Inetsrv\IISADMPWD), type copy *.asp *.htr, and then press ENTER. This command makes copies of all the .asp files that are in the current folder and it renames the copies with an .htr extension.</li> <li>Copy the .htr files from the IISADMPWD folder on the computer that is running Windows 2000 Server to the IISADMPWD folder on the computer that is running Windows Server 2003.</li></ul> </li> <li>Start Internet Services Manager on the computer that is running Windows Server 2003.</li> <li>Expand Default Web Site, right-click IISADMPWD, and then click Properties.</li> <li>Click Configuration, and then click Add.

Note If the Configuration button is unavailable or it appears dimmed, click Create, and then click Configuration.</li> <li>Click Browse, and then click Asp.dll in the Windows\System32\Intesrv folder.</li> <li>In the extension box, type htr .</li> <li>In Administrative Tools, double-click Services, and then restart the IISAdmin service.</li></ol> </li> <li>You experience “Cannot find server” or “The page you are looking for is currently unavailable.” This behavior may occur when IIS is not configured to allow the Change Password feature, or when the feature is disabled in the registry.</li> <li>If the IISADMPWD virtual directory that you create is in a Web site other than the Default Web Site, you may experience “HTTP 404 – File Not Found” errors in Exchange Server environments. To resolve this issue, make sure that the correct hard disk location of the IISADMPWD files appears in the Directory box in the properties of the IISADMPWD virtual directory. For more information, see the &quot;How to configure the IISADMPWD virtual directory&quot; section.</li> <li>Make sure that the IISADMPWD virtual directory runs in the same application pool as the Web site that uses the Password Change functionality. For example, if the Password Change functionality is used in your Outlook Web Access Web site, the IISADMPWD virtual directory must run inside the Exchange application pool where the Outlook Web Access site resides.</li> <li>You receive the warning, &quot;Your current password is about to expire in 0 days. To change your password, go to the Options page after you login&quot; in Outlook Web Access. This can occur when the pwdLastSet property on the enabled Windows user account does not match the pwdLastSet property on the corresponding disabled Windows user account in the Exchange resource forest. This can occur when users are migrated from one resource forest to another resource forest. The user can either disregard the warning message in Outlook Web Access, if they have recently reset their Windows user account password, or reset their password by way of Outlook Web Access so they no longer receive the error message.</li></ul>

For more information about how to troubleshoot issues with the Change Password feature of Outlook Web Access, click the following article numbers to view the articles in the Microsoft Knowledge Base:

296617 Error when password changed after password change utility installed

269082 IISADMPWD virtual directory is not created during clean install of IIS 5.0

315579 &quot;HTTP Error 403&quot; error message when password changed with OWA or Iisadmpwd

267568 Old password still works after you change it through Outlook Web Access

309508 IIS lockdown and URLscan configurations in an Exchange environment

240654 How to configure the IISADMPWD pages for different ports

Additional query words: OWA

Keywords: kbhowto KB297121

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.