Users cannot change password from OWA 1

[NicktheNewbie]

We run an exchange 2000 server on windows 2000, most users use windows 20000, and IE 5.5 or better.

After logging on to OWA, users can check email no problem, but when they click options, then "change password"...
a pop up screen comes up that says page cannot be displayed... any ideas?

 

[MapMan]

If I remember correctly, this occurs if you're not using SSL to access the OWA pages. To do so, install a current certificate on the exchange server, and point the users to https:// -vs- http://

But, it's been awhile since I had that problem. MapMan

Assume nothing, question everything, be explicit not implicit, and you'll always be covered.

 

[NicktheNewbie]

How do I install certificates? And does SSL need to be installed on the client, or server, and where should it be installed?

 

[microgeek]

SSL needs to run on the server. Also make sure your clients are connecting using a browser version that supports 128 bit encryption.

You simply direct your clients to a URL like

https://yourexchangeserver.yourcompany.com

Notice the "s" in the http portion of the URL

For more step by step information on how to setup SSL on your exchange server try checking out this link.

http://www.msexchange.org/tutorials/MF004.html

Hope you find this useful.

Cheers,

JR JR

Tech Forums and news group user "Microgeek".

 

[jamk555]

Just a thought for you - IIS Change Password is considerd a large security hole. I would not recommend enabling it. Microsoft has a utility called IISLockdown (or something similar***warning do not run this without understanding it*****) that will also disable this feature. My thoughts on this are only to express that this is a potential security flaw. My intent is not to scare you from doing it, I just want to pass along what I know.

Cheers! jamk555

 

[homerunkevin]

Hi all!
Interesting stuff. I will look into those. I was curious does OWA run under exchange 2000 server is really vunerable to privacy. Once a domain user access the OWA website, they can just view any other domain user email by putting /user name at the end without entering the password? This is really strange
Love always,
KEvin zhang
Techncial Support specailist
kevin@hsmc.com

 

[Evilbart]

kevin

looks like your security settings aren't correct anymore,

check your security, as by default no user can access another users mailbox. (even admins can't)

someone is giving away rights......

/Bart

 

[homerunkevin]

Evilbart,
That what I question the consulant lady who set up this up in the first place. It's so vunerable that even changing password in the active directory is useless. A temp who is able to get into the OWA can look into the management mailbox. I believe this occur only with IE 5.5 and not IE 6. BUt still, I would appreciate whoever encounter the same problem. Love always,
KEvin zhang
Techncial Support specailist
kevin@hsmc.com

 

[securityforums]

"Once a domain user access the OWA website, they can just view any other domain user email by putting /user name at the end without entering the password? This is really strange"


Indeed only exchange admins should be able to do this, are you saying *any* user can switch into anyone elses mailbox?

Id make sure you have full IIS logging on OWA, auditing turned up and check event viewer

 

[homerunkevin]

Dbrasco,
Good work!! yes indeed this is what happening withour exchange server. I have managment complaintts. anycase long story. .

Good I try to figure did those help or not Love always,
KEvin zhang
Techncial Support specailist
kevin@hsmc.com

 

[Evilbart]

http://support.microsoft.com/default.aspx?scid=kb;en-us;267596

XWEB: How to Change OWA Passwords Through IIS

came across this url this morning

could be helpfull

/Bart