I am deploying Outlook Web Access on Exchange 2003 with forms-based authentication without SSL (management requirement - they have accepted the risk, and this will not be changed)
I have got everything running fine apart from the change password functionality. I have followed all of the "standard" documentation out there on the web:
- created the IISADMPWD virtual directory
- set the DisablePassword=0 registry entry
- set the AllowRetailHTTPAuth registry entry
- set the PasswordChangeFlags=1 metabase entry
The only remaining problem is that the Change Password button on the Options page in OWA is trying to redirect to a URL starting with HTTPS, not HTTP, and the user gets a server timeout error (we're not even listening on the HTTPS port).
https://ourdomain.com/iisadmpwd/aexp2b.asp?http://ourdomain.com/exchange/whois/?Cmd=close
This needs to redirect to the same address, but without SSL
http://ourdomain.com/iisadmpwd/aexp2b.asp?http://ourdomain.com/exchange/whois/?Cmd=close
Any takers? What have I missed?
Thanks Tom
EDIT: I have since discovered that while this appeared to work, having PasswordChangeFlags set to 1 causes the app pool for Outlook Web Access to crash with Connection_Abandoned_By_AppPool in the HTTPERR logs. Therefore I've had to abandon this and I wouldn't recommend anyone else tries the same.
You cannot use the Change Password functionality without implementing SSL.
KB297121
I have got this working with a little hackery.
(Self signed SSL cert is not an option due to the prompts we'd get, and SSL isn't an option - absolute management requirement, however unwise.)
The openChangePassword() javascript function in Outlook Web Access needed modification as it was hardcoded to use HTTPS. I found this function in a whole load of files in the exchweb folder. That sorted out the button.
I also re-registered iispwchg.dll, as per another KB.
Also aexp2b.asp needed editing as it was also hard coded to post to a HTTPS URL.
I also missed a configuration step - the PasswordExpirePreNotifyDays metabase entry also needed setting. This was from here.
Thanks anyway.
Not going to happen. You need SSL to run the password changing applet as Microsoft obviously feel that broadcasting passwords through non-encrypted HTTP traffic is too much of a security risk. FWIW I agree with them.
If the people asking for this don't want to spend the money on a SSL certificate then perhaps they can generate one of their own and use that.
what did you do in your text below specifically as i am in the same shoes and my management does not want to hear anything else ?
The openChangePassword() javascript function in Outlook Web Access needed modification as it was hardcoded to use HTTPS. I found this function in a whole load of files in the exchweb folder. That sorted out the button.