What you need to know about the OWA Change Password feature of Exchange Server 2007


Update:  We have new features available for password funcationality.  See the new post, So you want to change your expired passwords in OWA...

Recently, we've seen calls on OWA Change Password functionality and questions about the features with Windows Server 2008.  The following is a quick synopsis of what you need to know to get this working the way you need it to.

Previous versions of Exchange Server utilized the Change Password functionality for IIS 5 and 6 using the IISADMPWD virtual directory and a .DLL file on the server.  These configurations were discussed in the following KB articles:

FIX: You experience various problems when you use the Password Change pages in IIS 5.0
http://support.microsoft.com/?kbid=831047

FIX: You experience various problems when you use the Password Change pages in IIS 6.0
http://support.microsoft.com/?kbid=833734

Implementing the Change Password feature with Outlook Web Access
http://support.microsoft.com/?kbid=297121

This method is no longer required with Exchange Server 2007.  However, it can be used with Windows Server 2003 and Exchange Server 2007 configurations when the ability to change passwords after they have expired or when users are required to change their password at the first logon is needed.  An Exchange Server 2007 Help topic discusses the uses and configuration of Change Password functionality:

Configuring the Change Password Feature in Outlook Web Access
http://technet.microsoft.com/en-us/library/bb684904.aspx

Please note that the IISADMPWD functionality is not included with IIS 7.0 on Windows Server 2008.  Some workarounds have been posted on the web that show a method to implement the same behavior for IIS 7.0.  However, these workarounds are not supported or recommended by Microsoft and we have observed that the solution does not always work as expected with Exchange Server 2007.  Specifically, changing passwords for users whose passwords have expired is unreliable. 

If you require the ability to change passwords after they have expired or when the user must change the password at first logon, and your Client Access Servers run Windows Server 2008 and Exchange Server 2007 SP1, you can use ISA Server 2006 to implement the feature.  See the following:

Configuring and Troubleshooting the Password Change Feature in ISA Server 2006
http://technet.microsoft.com/en-us/library/cc514301.aspx

Also, see the following:

https://blogs.technet.com/isablog/archive/2007/08/23/password-change-with-fba.aspx

- Will Duff

Comments (14)
  1. bday says:

    What should we do for internal non-AD OWA only clients if you use split DNS and the internal OWA URL points to the CAS farm IP and does not go through ISA?

  2. Pradeep John says:

    We don’t have ISA Server in our organization.

    Is there is any other way to implement this feature in OWA without ISA Server, if CAS running on Windows Server 2008?

  3. abdul says:

    Yeah, is there a way to do this without ISA 2006 in place?

  4. John says:

    Hah.  Why does it not surprise me that to fix this issue, Microsoft’s only supported solution is to throw a different Microsoft product at it, all together.  Most of my clients are internal (and use OWA rather than Outlook).  And I really don’t want to purchase ISA just to allow password changes.  Back to the drawing board please.

  5. Will Duff says:

    All,

    There are always other avenues – ISA is one choice, using a VPN/Windows interface is another.  For that matter, leaving a 2k3 server in place to serve IISADMPWD (though that is likely the least desirable) is also an option.

    I may have misunderstood one of the comments, but for internal AD clients this is all irrelevant – the user is already logging on to the domain with Windows.  

    I’m always looking for additional information and will update the post according to my findings.  

    However, the bottom line remains that there is simply no IISADMPWD feature in IIS 7 for Exchange to use.

    Will

  6. bday says:

    It should not be assumed internal clients are always using AD-joined machines.

    We have many internal users which are using Novell as their network operating system, but have mailboxes on Exchange and AD user accounts to support the mailboxes. Those AD accounts have to have their passwords changed every so often per policy requirements. Some of those folks use Outlook some of them are OWA only and the internal OWA URL does not go through an ISA array.

  7. Jeff25 says:

    To second bday’s post-

    Our company has been growing by m/a and currently has quite a few machines in non-trusted domains.

    We use ISA heavily to support this feature.  It’s also proven to be a fine and relatively cheap reverse proxy in our mid-size environment (2.5k users).  It also works great for proxying Activesync and RPC over HTTPS.

    We also use split-horizon DNS and point our internal record to the ISA server.  If we need to access OWA using integrated auth (like to embed in a sharepoint webpart) we have a second internal-only record that points directly to OWA.  

    In a way, our deployment breeds familiarity with the users – they see the same exact OWA logon page regardless of their location.

  8. Rick says:

    We use Exchange 2007 with Server 2003 and while the end users can change passwords, they do NOT get prompted to change passwords. When we create accounts we use a generic password and turn on, "must change password at first login". That doesn’t work for web only users or those users that don’t log into the domain. We have hundreds of users who only see a web interface and that is all. As far as I am concerned the product is broken.

  9. gazzoni says:

    All that money; all that talent people, and they can not provide us a reasonable solution …

  10. Ray Avila says:

    I agree- this is a bit ridiculous.  Surely it’s not that hard to write an updated version of IISADMPWD for IIS7?  We need it for TS Web Access using Server 2008  :-(

  11. tony says:

    I agree with most of the comments on here. Microsofts assumption that all internal computers are going to be on AD is rediculous. We use a Novell network and are implementing Exchange for the first time using exchange 2007 and server 2008. We are not switching all of our 2000+ computers over to a microsoft network right away. Also our 2000+ field techs that will only get their email through owa need the option to change their password.

    With this economy we are not in any position to just go out and buy ISA 2006 and a new server just so people can change their passwords!

  12. Mike Crowley says:

    Why is everyone so upset about this?  This whole problem only applies to users with ALREADY EXPIRED passwords.  Users who haven’t yet expired get a notice warning them when the time nears and they can change the password within the Options area of OWA 2007.

  13. bday says:

    Mike, you are forgetting this also applies to "User must change password at next logon" users. For environments whose users only access to Exchange is OWA from non-AD machines this means you cannot successfully force a password change for first time logons.

  14. kbone says:

    very frustrating that something so simple cannot be a standard.   having users change the default password is one of the most basic security issues out there and we cant do it???

    Also we have several hundred users using Outlook Anywhere. I’m guessing there is no solution for them to change their passwords either?

Comments are closed.

Skip to main content