old password still works after you change it in Outlook Web Access

07 Jun

An old password still works after you change it in Outlook Web Access

View products that this article applies to.

This article was previously published under Q267568

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756  How to back up and restore the registry in Windows


Assume that a user changes their password in Outlook Web Access (OWA) in one of the following versions of Microsoft Exchange Server:

  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2003
  • Microsoft Exchange 2000 Server

In this case, you may notice a 15-minute period during which the user can log on to their mailbox by using either the old password or the new password. However, if the user uses a MAPI client (such as Microsoft Outlook) to access the mailbox or if the user tries to access other files and resources, the user is authenticated only if they use the new password.


This latency exists by design for Internet Information Services (IIS) performance reasons and is controlled by the following registry setting.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. Start Registry Editor (Regedt32.exe) on the server that is running IIS and through which the user gains access to OWA.
  2. Locate the following key in the registry:


  1. On the Edit menu, click Add Value, and then add the following registry value:

Value Name: UserTokenTTL (Note This is case-sensitive!)
Data Type: REG_DWORD
Value Range: 0 – 0x7FFFFFFF (Note This unit is in seconds.)

  1. Exit Registry Editor, and then restart IIS.

When a request is made to the server by using Basic Authentication, the security credentials for the request are used to create a user token on the server. The server impersonates this user token when it accesses files or other system resources (see also “CacheSecurityDescriptor” in IIS Help). The token is cached so that the Windows logon occurs only the first time that the user accesses the system or after the user’s token is removed from the cache. Integrated Windows authentication tokens are not cached.

For IIS performance reasons, the default setting is 15 minutes. Make sure that you weigh carefully the security implications versus the performance implications.   For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152526  Changing the default interval for user tokens in IIS

Note If a user is still logged on when this registry key is set, that user’s current Time to Live (TTL) token for that password remains the same as it was before the registry key was modified. The user is not affected until they close all instances of the browser, log on again, and change the password again. That new password will have the TTL of the registry key that was specified

1 Comment

Posted by on June 7, 2011 in Exchange


One response to “old password still works after you change it in Outlook Web Access

  1. Vernell

    March 15, 2013 at 4:10 am

    Magnificent goods from you, man. I have take note your stuff previous to and you’re just too great. I actually like what you have received here, certainly like what you’re saying and the way
    in which wherein you say it. You’re making it enjoyable and you continue to care for to stay it sensible. I can not wait to read much more from you. That is actually a terrific website.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: