I am deploying Outlook Web Access on Exchange 2003 with forms-based authentication without SSL (management requirement – they have accepted the risk, and this will not be changed)
I have got everything running fine apart from the change password functionality. I have followed all of the "standard" documentation out there on the web:
- created the IISADMPWD virtual directory
- set the DisablePassword=0 registry entry
- set the AllowRetailHTTPAuth registry entry
- set the PasswordChangeFlags=1 metabase entry
The only remaining problem is that the Change Password button on the Options page in OWA is trying to redirect to a URL starting with HTTPS, not HTTP, and the user gets a server timeout error (we're not even listening on the HTTPS port).
https://ourdomain.com/iisadmpwd/aexp2b.asp?http://ourdomain.com/exchange/whois/?Cmd=close
This needs to redirect to the same address, but without SSL
http://ourdomain.com/iisadmpwd/aexp2b.asp?http://ourdomain.com/exchange/whois/?Cmd=close
Any takers? What have I missed?
Thanks
Tom
EDIT: I have since discovered that while this appeared to work, having PasswordChangeFlags set to 1 causes the app pool for Outlook Web Access to crash with Connection_Abandoned_By_AppPool in the HTTPERR logs. Therefore I've had to abandon this and I wouldn't recommend anyone else tries the same.
Best Answer
You cannot use the Change Password functionality without implementing SSL.
KB297121