1

I am deploying Outlook Web Access on Exchange 2003 with forms-based authentication without SSL (management requirement - they have accepted the risk, and this will not be changed)

I have got everything running fine apart from the change password functionality. I have followed all of the "standard" documentation out there on the web:

  • created the IISADMPWD virtual directory
  • set the DisablePassword=0 registry entry
  • set the AllowRetailHTTPAuth registry entry
  • set the PasswordChangeFlags=1 metabase entry

The only remaining problem is that the Change Password button on the Options page in OWA is trying to redirect to a URL starting with HTTPS, not HTTP, and the user gets a server timeout error (we're not even listening on the HTTPS port).

https://ourdomain.com/iisadmpwd/aexp2b.asp?http://ourdomain.com/exchange/whois/?Cmd=close

This needs to redirect to the same address, but without SSL

http://ourdomain.com/iisadmpwd/aexp2b.asp?http://ourdomain.com/exchange/whois/?Cmd=close

Any takers? What have I missed?

Thanks Tom

EDIT: I have since discovered that while this appeared to work, having PasswordChangeFlags set to 1 causes the app pool for Outlook Web Access to crash with Connection_Abandoned_By_AppPool in the HTTPERR logs. Therefore I've had to abandon this and I wouldn't recommend anyone else tries the same.

tomfanning
  • 3,378
  • 7
  • 34
  • 34

4 Answers4

3

You cannot use the Change Password functionality without implementing SSL.

KB297121

ThatGraemeGuy
  • 15,473
  • 12
  • 53
  • 79
  • That KB actually explains (partially) how to allow password-changing via a non-SSL connection (set PasswordChangeFlags to 1) – tomfanning Jun 18 '09 at 08:09
1

I have got this working with a little hackery.

(Self signed SSL cert is not an option due to the prompts we'd get, and SSL isn't an option - absolute management requirement, however unwise.)

The openChangePassword() javascript function in Outlook Web Access needed modification as it was hardcoded to use HTTPS. I found this function in a whole load of files in the exchweb folder. That sorted out the button.

I also re-registered iispwchg.dll, as per another KB.

Also aexp2b.asp needed editing as it was also hard coded to post to a HTTPS URL.

I also missed a configuration step - the PasswordExpirePreNotifyDays metabase entry also needed setting. This was from here.

Thanks anyway.

tomfanning
  • 3,378
  • 7
  • 34
  • 34
0

Not going to happen. You need SSL to run the password changing applet as Microsoft obviously feel that broadcasting passwords through non-encrypted HTTP traffic is too much of a security risk. FWIW I agree with them.

If the people asking for this don't want to spend the money on a SSL certificate then perhaps they can generate one of their own and use that.

Rob Moir
  • 31,884
  • 6
  • 58
  • 89
  • Self-certifying is not an option here because of the trust prompts. I do hope to move to an SSL deployment when we move to Exchange 2007. – tomfanning Jun 18 '09 at 08:11
0

what did you do in your text below specifically as i am in the same shoes and my management does not want to hear anything else ?

The openChangePassword() javascript function in Outlook Web Access needed modification as it was hardcoded to use HTTPS. I found this function in a whole load of files in the exchweb folder. That sorted out the button.

  • 1
    While I do not advocate going down this route as per the follow-up edit to my original question (IIS application pool crashes), if you search all files in the exchweb folder for the string openChangePassword(), you'll have to edit all of those functions to change HTTPS to HTTP. Please carefully review my follow-up above before you attempt this. – tomfanning Nov 05 '09 at 11:08