If you have been an administrator of an Exchange Server for a number of years you know there has been a few pain points related to OWA logon and expiring passwords.  I have managed system that we sent out regular system messages to the user before their password expired to remind them to change their password yet quite often the user would forget. 

There are two common password scenarios that occur:

1. When a users password has expired and they attempt to logon to OWA the user fails to logon and receive a generic error message.

2. When a new user account is created and an administrator wants to force the user to change their password at next logon, however the user will not be able to logon to OWA

Exchange 2007 SP3 and Exchange 2010 SP1 have remedied the two issues above by creating a new module in IIS that detects a user has an expired password or the user account is set to “user must change password at next logon”. 

You may ask what do I need to do?

http://technet.microsoft.com/en-us/library/ff607232(EXCHG.80).aspx

1. Log on to the Exchange server that is running the CAS role by using an account that has local administrator rights

2. Start Registry Editor, and then locate the following registry subkey:

3. HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA

4. Create the following DWORD value if it does not already exist:

5. Value name: ChangeExpiredPasswordEnabledValue type: REG_DWORDValue data: 1

6. Exit Registry Editor

7.  From a command window perform an IISReset

Let walk through some tests:

1. Create a new user called PwdTest

a. Open EMC

b.  Expand Recipient Configuration and select Mailbox

pwd13

c. From the actions pane select New Mailbox

d. On the new Mailbox wizard select “User Mailbox” and click Next

pwd1

e. Select New User and click Next

pwd2

f.  Input PwdTest for the userId information and validate the check box “User must change password at next logon”

 pwd3

g. On the Mailbox Settings page leave the default and click Next

pwd4

h. On the Archive Settings check the radius button “don’t create an archive” and click Next

pwd5

i. On the New Mailbox page click New

pwd6

j.  Click Finish to complete the mailbox creation

pwd7

2. Now that we have created our new mailbox and have the account set to force a password change for our user we need to attempt to logon to OWA

a.  Open the OWA logon Page and attempt to logon with our new user PwdTest

pwd8

b.  Notice we receive a generic password error message

pwd9

3.  As we see the logon fails until we modify the Registry of our CAS server

a. Start the Registry editor : Start – Run –RegEdit
b. Expand to  HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA

c. Create the following DWORD Value: ChangeExpiredPasswordEnabled

d.  Set the value to 1

pwd10

e. Exit Registry Editor

f.  From a command window perform an IISReset

4.  Now that we have created the appropriate Registry key we can attempt to logon to OWA again

a.  Open the OWA logon page and attempt to logon with the PwdTest user

pwd8

b. We are now presented a change password form

pwd11

c. After completing the form you will receive and successful change message

pwd12

d. You are now presented the OWA logon form again. Attempt to logon with the newly created password

pwd8

e. you now have a successful OWA logon

pwd14