1

We are running an Exchange 2013 server. We found a problem around expired passwords.

Our users login to OWA using their UPN (user@maildomain.com), and not the real username like lan.local\username.

When we set a user to "Change password at next logon", the following happens:

  • When the users logs in with UPN, no new password is asked for, it just logs on and the user can use his webmail.
  • When the user goes to options > change password, he can change his password just fine.
  • However, when the user logs in to OWA with his "real" username, a new password is immedietly asked to be set, before he can continue to webmail.

I see this as a security flaw. How is it possible that some one with an expired password can login to OWA when using it's UPN? And why does this work fine when using a login like domain\username ?

NLuser
  • 45
  • 1
  • 6
  • Please check if the following might be the case [An old password still works after you change it in Outlook on the Web](https://support.microsoft.com/en-us/kb/267568) – BastianW Nov 23 '16 at 16:43
  • I posted the same as real answer, so we can close it then :-) – BastianW Nov 28 '16 at 22:23

1 Answers1

0

Please check if the following might be the case An old password still works after you change it in Outlook on the Web.

BastianW
  • 2,868
  • 4
  • 20
  • 34