Article ID: 1454, created on Oct 6, 2008, last review on May 11, 2014

  • Applies to:
  • Operations Automation

Cause

Users' tokens used for access to OWA are cached by IIS. When user logs on to Exchange mailbox via web browser, the user's token is created.

If the account's credentials (login or password) are subsequently changed, or account is disabled, the user can still access the mailbox during some period of time using the old credentials.

According to the Microsoft documentation this cache expiration time is about 15 minutes. Actually this value can be greater.

Resolution

You can force the expiration of the IIS token cache by restarting the IIS services:

  1. On each Exchange Front-end servers run the "Internet Information Services (IIS) Manager" snap-in (Start / Programs / Administrative Tools / Internet Information Services (IIS) Manager).
  2. In the left pane left click on the local computer node (for EXFE01 it was "EXFE01 (local computer)").
  3. Select "All Tasks" / "Restart IIS...". Message box will be opened.
  4. In the list box select "Restart Internet Services on ..." (selected by default) and click "OK".

You can change the default interval for the token cache:

  1. On each Exchange Front-end servers run the registry editor (regedit.exe).
  2. Locate the followin key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters
  3. Within this key add DWORD value UserTokenTTL with decimal value 300 (IIS refresh tokens cache every 300 seconds = 5 minutes).

Search Words

password reset

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF