Thursday, September 08, 2005

Setting the cookie authentication time-out in OWA 2003

 

Setting the cookie authentication time-out

For your Outlook Web Access logon page, you can give users two types of security options for authentication. Depending on their requirements, users can select either of these security options on the Outlook Web Access logon page:

Public or shared computer - Inform your users to select this option when they access Outlook Web Access from a computer that does not use the security settings for your organization. For example, an Internet kiosk computer does not use the security settings for your organization. The Public or shared computer option is the default option and provides a short default time-out option of 15 minutes.
Private computer - Inform your users to select this option when they are the sole operator of the computer and the computer uses the security settings for your organization. This option permits a much longer period of inactivity before automatically ending the session. Its internal default value is 24 hours. The Private computer option is intended to benefit Outlook Web Access users who use personal computers in their office or in their home.


Additionally, when Outlook Web Access clients log on by using forms-based authentication, they may also choose between the following two types of Outlook Web Access client versions:

Premium - This is the default version. It provides all Outlook Web Access features.

    Note: The Outlook Web Access premium client has special code so that typing in a message body is considered as activity.
Basic - This version provides faster performance but fewer features than the premium client. Use this version if you are on a slow connection.


In Exchange 2003, Outlook Web Access user credentials are stored in a cookie. When the user logs off from Outlook Web Access, the cookie is cleared and it is no longer valid for authentication. Additionally, by default, if your user is using a public computer and selects the Public or shared computer option on the Outlook Web Access logon screen, the cookie on this computer expires automatically after 15 minutes of user inactivity.

The automatic time-out is valuable because it helps protect a user's account from unauthorized access. However, although the automatic time-out greatly reduces the risk of unauthorized access, it does not completely eliminate the risk that an unauthorized user could access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you educate users about precautions to take to avoid risks.

To match the security requirements of the organization, an administrator can configure the inactivity time-out values on the Exchange front-end server. Exchange 2003 uses the following information to determine user activity:

 
Interaction between the client and the server is considered as activity. For example, if a user opens, sends, or saves an item, switches folders or modules, or refreshes the view or the Web browser window, this is considered as activity.
If a user enters text in Outlook Web Access items, it is not considered as activity. For example, if a user types in appointments, meeting requests, posts, contacts, tasks, or other items, this is not considered as activity.


To configure the time-out value, you must first enable forms-based authentication and then modify the registry settings on the server.

To set the Outlook Web Access forms-based authentication public computer cookie time-out value, follow these steps.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. On the Exchange front-end server, log on by using the Exchange administrator account, and then start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type PublicClientTimeout for the name of the DWORD, and then press ENTER.
5. Right-click the PublicClientTimeout DWORD value, and then click Modify.
6. Under Base, click Decimal.
7. In the Value data box, type a value that represents the number of minutes for the time-out. This number must be between 1 and 43200. (43200 minutes are equal to 30 days.) If you do not set a value, a value of 15 is assumed.

Note The maximum possible value is 43200 for 30 days.
8. Click OK.

Important You must restart IIS for the changes to take effect. Also, if you set the TrustedClientTimeout value to a value that is lower than PublicClientTimeout, the TrustedClientTimeout value defaults to be equal to the PublicClientTimeout value. Likewise, if you set the PublicClientTimeout value to a value that is greater than the TrustedClientTimeout value, the TrustedClientTimeout value defaults to be equal to the PublicClientTimeout value.


To set the Outlook Web Access forms-based authentication trusted computer cookie time-out value:

1. On the Exchange front-end server, log on by using the Exchange administrator account, and then start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type TrustedClientTimeout for the name of the DWORD, and then press ENTER.
5. Right-click the TrustedClientTimeout DWORD value, and then click Modify.
6. Under Base, click Decimal.
7. In the Value data box, type a value that represents the number of minutes for the time-out. This number must be between 1 and 43200. (43200 minutes are equal to 30 days.) If you do not set a value, a value of 1440 is assumed.

Note The maximum possible value is 43200 for 30 days.
8. Click OK.
9. Open a command prompt, type net stop w3svc, and then press ENTER.
10. After the services stop, type net start w3svc, and then press ENTER.


 
In addition to idle timeouts, you can also specify a timeout value for the Forms Based Authentication cookie itself. To do this, add the following registry entry to the OWA server.
 
Location: HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA
Value: KeyInterval
Type: REG_DWORD
Value Data: Timeout value (in minutes)

8 comments:

Anonymous said...

Wonderful beat ! I would like to apprentice while you amend your web site, how can i subscribe
for a blog site? The account helped me a acceptable deal.

I had been tiny bit acquainted of this your
broadcast offered bright clear concept

Here is my homepage :: email templates outlook 2010

Anonymous said...

May I just say what a relief to discover someone that actually knows what they are discussing on the net.
You definitely understand how to bring an issue to light and make it important.
More people need to look at this and understand this side of your story.
I can't believe you aren't more popular because you definitely have the gift.


my web site html email newsletter templates

Anonymous said...

It is really a nice and useful piece of info. I am glad that you simply shared this helpful info with us.
Please stay us informed like this. Thanks for sharing.

Visit my webpage :: email templates in outlook

Anonymous said...

Unquestionably believe that which you stated. Your favorite justification appeared to be on the net the simplest thing
to be aware of. I say to you, I certainly get irked while people consider
worries that they just do not know about. You managed
to hit the nail upon the top as well as defined out the whole thing without having side-effects ,
people could take a signal. Will likely be back to get more.
Thanks

Feel free to visit my homepage: email flyer templates
**

Anonymous said...

My brother recommended I might like this blog. He used to be entirely right.

This post truly made my day. You cann't imagine simply how so much time I had spent for this information! Thank you!

My homepage :: effective email marketing

Anonymous said...

What's up colleagues, how is everything, and what you desire to say concerning this paragraph, in my view its truly awesome for me.

Look into my blog post; kit

Anonymous said...

Thanks for some other informative blog. The place else may just I am getting that type of info
written in such an ideal approach? I've a venture that I'm
simply now operating on, and I have been at the glance out for such info.


Stop by my blog post - Click Home

Anonymous said...

It's truly a nice and useful piece of info. I am glad that you simply shared this useful info with us. Please stay us up to date like this. Thank you for sharing.

Visit my page :: email marketing leads