We are running an Exchange 2013 server. We found a problem around expired passwords.
Our users login to OWA using their UPN (user@maildomain.com), and not the real username like lan.local\username.
When we set a user to "Change password at next logon", the following happens:
- When the users logs in with UPN, no new password is asked for, it just logs on and the user can use his webmail.
- When the user goes to options > change password, he can change his password just fine.
- However, when the user logs in to OWA with his "real" username, a new password is immedietly asked to be set, before he can continue to webmail.
I see this as a security flaw. How is it possible that some one with an expired password can login to OWA when using it's UPN? And why does this work fine when using a login like domain\username ?
Best Answer
Please check if the following might be the case An old password still works after you change it in Outlook on the Web.