Implementing the Change Password feature with Outlook Web Access

This article discusses how to implement the Change Password feature in Microsoft Outlook Web Access (OWA) to allow OWA users to change their domain passwords. This article also describes some of the common troubleshooting scenarios where you might use this feature.

The Change Password feature is provided by Microsoft Internet Information Services (IIS). The Change Password feature is not specific to Microsoft Exchange Server. This feature in IIS is implemented through the IISADMPWD virtual directory. In Microsoft IIS 5.0 and in Microsoft IIS 6.0, you must manually create and configure this virtual directory. In Microsoft IIS 4.0, this virtual directory is created by default, but it must be manually configured.

For more information about Change Password functionality and Windows Server 2008, please visit the following Microsoft Exchange Team blog:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

How to configure the IISADMPWD virtual directory

A Secure Sockets Layer (SSL) certificate is required to use the Change Password feature with Outlook Web Access. This is true for all versions of Exchange Server. When you use the Change Password feature with SSL, the communication is encrypted. OWA uses HTTPS requests to access the Change Password feature.

To configure SSL, you must obtain a server certificate for the Web server. You can use Microsoft Certificate Server or a third-party certificate server. You obtain a Web server certificate that IIS uses to enable SSL. For additional information about how to obtain and install an SSL certificate, view the following IIS Help topics:

• Obtain an SSL Certificate
• Configure SSL

For more information about how to use certificates with IIS and with Exchange Server, click the following article numbers to view the articles in the Microsoft Knowledge Base: Note If you are using Exchange front-end servers in your environment, SSL should only be enabled on these servers. In a single-server environment, SSL needs to be enabled on the Exchange server itself.

The following values are options for the PasswordChangeFlags setting:

• 0: Requires password change by SSL
• 1: Allows password change by non-secure ports
• 2: Disables password changes

If you are using an off-loaded SSL configuration, an SSL accelerator, you can change this value to "1." To do so, follow these steps:

1. On the IIS/OWA server, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command, and then press the Enter key.

   cd <drive letter>\:inetpub\AdminScripts

   
   For example: cd c:\inetpub\AdminScripts
3. The command prompt returns. Now, type the following command:
   

   adsutil.vbs set w3svc/passwordchangeflags 1

   
   The value "1," per the list that was provided earlier in this article, allows the Change Password functionality by using non-secure ports.

Before configuring the Change Password feature, make sure that the following fixes have been applied to all Exchange servers:

• For Windows 2000 (All versions of Exchange)
  
  831047 FIX: You experience various problems when you use the Password Change pages in IIS 5.0
• For Windows 2003 (All versions of Exchange)
  
  833734 FIX: You experience various problems when you use the Password Change pages in IIS 6.0
  
  
  Note The files from this hotfix are included in Microsoft Windows Server 2003 Service Pack 1 (SP1).

To configure the IISADMPWD virtual directory, do the following:

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. Right-click the default Web site, point to New, and then click Virtual Directory.
3. In the Virtual Directory Creation wizard, type IISADMPWD in the Alias box, and then click Next.
4. In the Directory box, type <hard disk>:\winnt\system32\inetsrv\iisadmpwd or the location where your hard disk is your default hard disk, and then click Next.
5. Verify that only the Read and Run script check boxes are selected, such as the ASP check box, click Next, and then click Finish.
6. Verify that the IISADMPWD virtual directory has only basic authentication set and, if you use Windows 2003/IIS 6.0, verify that the application pool is set to ExchangeApplicationPool.

In Internet Information Server (IIS) 4.0 and in Internet Information Services (IIS) 5.0, the Change Password functionality is handled through an ISAPI extension, Ism.dll. This component has been removed from Internet Information Services versions 5.1 and 6.0, and the Change Password functionality has been modified to use Active Server Pages (ASP). A package that can be downloaded has been created to deliver this ASP functionality for servers that are running IIS 5.0 on Microsoft Windows 2000 Server Service Pack 3 (SP3) or for servers that are running IIS 4.0 on Microsoft Windows NT 4.0 Server Service Pack 6a (SP6a).

Note This package has been tested and it has been approved for use with Microsoft Exchange Server 5.5 and with Exchange 2000 Server Outlook Web Access. Because OWA references these files with an .htr extension, if you manually rename the files, OWA cannot use the change password functionality. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Enable and hide the Change Password button in Outlook Web Access

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Note This registry value must be enabled on both front-end and back-end servers.

For Exchange 2000 Server and for Exchange Server 2003, you can use the registry to show or hide the Change Password button. To do this, follow these steps.

1. Start Registry Editor, and then locate the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb
2. If an OWA key is not present under MSExchangeWeb, click the Edit menu, click New, and then click Key to add a new key named OWA.
3. Locate the DisablePassword value and change the data to "0." If this value is not present, click the Edit menu, click New, click DWORD_Value to add the following value to the OWA registry subkey if you want the Change Password button to appear:

   Value name:  DisablePassword
   Value type:  REG_DWORD
   Data: 0
   

   If you want to hide the Change Password button, change the DisablePassword value data to "1."
4. Stop and then restart the Exchange Information Store Service and the IIS Admin Service. This stops and restarts the World Wide Web Publishing Services (W3SVC). In an Exchange 2000 Server environment, restarting the IIS Admin Service restarts the Microsoft Exchange System Attendant and the Microsoft Exchange Information Store.
5. Make sure that you all the dependent services that you require are restarted, such as IMAP4, POP3, Microsoft Exchange Routing Engine, W3SVC, MTA Stacks.

To remove the Change Password button in Outlook Web Access for Exchange Server 5.5, follow these steps :

1. Locate the Constant.INC file. This file is typically found in the Exchsrvr\Webdata\USA (or language required) directory on the Outlook Web Access server.
2. Under the Administrative Settings section, and then locate the following line:

   fEnablePasswordMenu=True

3. Replace this line with the following text:

   fEnablePasswordMenu=False

4. On the File menu, click Save, and then close the file.
5. To verify, start the Internet browser on the Outlook Web Access server. The Change Password button no longer appears.

Usage scenarios

Exchange 2000 in front-end and back-end configurations

If you use a front-end server, you must configure the IISADMPWD virtual directory and SSL on the front-end server. If there are multiple front-end servers in your environment, SSL and the IISADMPWD virtual directory must be configured on each server.

Note The only case where configuring this feature is recommended on a back-end server is in a single Exchange Server environment. In this environment, Internet users access Outlook Web Access on the back-end server directly.

However, if a front-end server is used and you want to enable this feature on the back-end Exchange Server computers, be cautious in how you implement SSL requirements on the back end. Specifically, make sure that you do not require SSL on the Exchange, Public, ExchWeb, Exadmin virtual directories, or on any Mailbox or Public Folder virtual roots on the back-end server. If this is set, the front-end server cannot communicate with a back-end server.

Microsoft requires SSL on the IISADMPWD virtual directory.

While the Change Password feature is independent of Outlook Web Access, it must be implemented on the server that the client interacts with directly. This server is typically the front-end server. However, the Change Password URL that OWA exposes on the Options page is generated on the back-end server. Therefore, the file extension that is .htr or .asp is dictated by the version of IIS on the back-end server rather than the file set that exists on the front-end server. A �Page not found� or 404 error may occur when a user attempts to change their password through OWA. This issue is described further later in this article.

The following table lists the file to be referenced. The table is based on the version of Windows on the back-end server: * When the back-end server is Windows 2000 (IIS 5.0) and the front-end server is Windows 2003 (IIS 6.0), users who attempt to change their password through Outlook Web Access (OWA) will get a 404 or a �Page not found� error message in their browser. This error message appears because the URL that is generated by the back-end server points to the Aexp2b.htr file. However, this file does not exist by default on a Windows 2003 front-end server. Therefore, you must copy the appropriate set of files to the front-end server and configure the front-end server to handle these files correctly.

To do this, follow these steps:

1. At the command prompt on the front-end server, change to the %windir%\system32\inetsrv\IISADMPWD directory. Type the following:

   copy Aexp2b.asp Aexp2b.htr

2. Add a Script Mapping for the .htr extension on the front-end server.
   • In the ISM browse to the IISADMPWD virtual directory that you created, right-click to select the properties.
   • On the Virtual Directory tab, click Configuration.
   • On the Mappings tab, click Add.
   • Add a Script Mapping with the following criteria:
     Executable: %windir%\system32\inetsrv\asp.dll
     Extension: .htr
     Limit to: GET,POST
     Leave �Script engine� and �Verify that file exits� checked.

This is similar to the issue that is mentioned earlier in this section. However, in this particular case, the Windows 2003 back-end server pushes a URL that ends in Aexp2b.asp that does not exist on the Windows 2000 front-end server. The solution is to copy the appropriate set of files to the front-end server as follows:

1. From a command prompt on the front-end server, change to the %windir%\system32\inetsrv\iisadmpwd directory
2. Type the following command:

   copy Aexp2b.htr Aexp2b.asp

   
   
   Note For this solution to work Windows 2000 SP4 must be applied to this server prior to performing the copy command that is described earlier in this section.

Note The steps are the same for clustered Exchange servers. When front-end servers are in use with an Exchange cluster, no configuration is necessary on the cluster itself.

Troubleshooting

This section contains some common troubleshooting scenarios for issues that can occur by using the Change Password feature of Outlook Web Access.

• We recommend that you view the following articles:
  831047 You experience various problems when you use the Password Change pages in IIS 5.0
  833734 You experience various problems when you use the Password Change pages in IIS 6.0
• When you create the IISADMPWD virtual directory, make sure that the following permissions are enabled:
  Read
  Run Scripts (such as ASP)
• When you type your account information in the password change page, you must type your credentials in the domain \ username format.
• In mixed Windows 2000 Server and Windows Server 2003 environments, you may receive an �HTTP 404 � File Not Found� error message when you try to change your password. The behavior occurs because Windows 2000 and IIS 5.0 use .htr files for the Change Password functionality. Make sure that you have updated your Windows system running Outlook Web Access to use ASP pages in the manner that is described in the following Microsoft Knowledge Base article
  331834 Change password functionality replaced with Active Server Pages
  To work around this issue, do the following:
  1. Copy the appropriate files from the operating system that your front-end server is not running to the IISADMPWD folder on your front-end server. The IISADMPWD folder is located in the following folder: %SystemRoot%\System32\Inetsrv\IISADMPWD To copy the files from the other operating system, use one of the following methods, depending on your situation:
     • At a command prompt, locate the IISADMPWD folder (%SystemRoot%\System32\Inetsrv\IISADMPWD), type copy *.asp *.htr, and then press ENTER. This command makes copies of all the .asp files that are in the current folder and it renames the copies with an .htr extension.
     • Copy the .htr files from the IISADMPWD folder on the computer that is running Windows 2000 Server to the IISADMPWD folder on the computer that is running Windows Server 2003.
  2. Start Internet Services Manager on the computer that is running Windows Server 2003.
  3. Expand Default Web Site, right-click IISADMPWD, and then click Properties.
  4. Click Configuration, and then click Add.
     
     Note If the Configuration button is unavailable or it appears dimmed, click Create, and then click Configuration.
  5. Click Browse, and then click Asp.dll in the Windows\System32\Intesrv folder.
  6. In the extension box, type htr.
  7. In Administrative Tools, double-click Services, and then restart the IISAdmin service.
• You experience �Cannot find server� or �The page you are looking for is currently unavailable.� This behavior may occur when IIS is not configured to allow the Change Password feature, or when the feature is disabled in the registry.
• If the IISADMPWD virtual directory that you create is in a Web site other than the Default Web Site, you may experience �HTTP 404 � File Not Found� errors in Exchange Server environments. To resolve this issue, make sure that the correct hard disk location of the IISADMPWD files appears in the Directory box in the properties of the IISADMPWD virtual directory. For more information, see the "How to configure the IISADMPWD virtual directory" section.
• Make sure that the IISADMPWD virtual directory runs in the same application pool as the Web site that uses the Password Change functionality. For example, if the Password Change functionality is used in your Outlook Web Access Web site, the IISADMPWD virtual directory must run inside the Exchange application pool where the Outlook Web Access site resides.
• You receive the warning, "Your current password is about to expire in 0 days. To change your password, go to the Options page after you login" in Outlook Web Access. This can occur when the pwdLastSet property on the enabled Windows user account does not match the pwdLastSet property on the corresponding disabled Windows user account in the Exchange resource forest. This can occur when users are migrated from one resource forest to another resource forest. The user can either disregard the warning message in Outlook Web Access, if they have recently reset their Windows user account password, or reset their password by way of Outlook Web Access so they no longer receive the error message.

For more information about how to troubleshoot issues with the Change Password feature of Outlook Web Access, click the following article numbers to view the articles in the Microsoft Knowledge Base: