RE: OWA time-out
From: Susan (Susan_at_discussions.microsoft.com)
Date: 02/01/05
- Next message: Barry: "Re: Problems With SBS 2003 Firewall Client"
- Previous message: Susan: "Re: OWA time-out"
- In reply to: Mike Ash: "RE: OWA time-out"
- Next in thread: Marina Roos [SBS-MVP]: "Re: OWA time-out"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 31 Jan 2005 17:45:01 -0800
I notice here you mention 'front end and back end" servers...we're a small
operation with 1 server and 10 users, but we have 4 additional exchange users
that will be using OWA exclusively. Mike, do you still recommend this
solution?
"Mike Ash" wrote:
> Susan,
> Microsoft uses cookies for setting the timeout on clients for OWA. The
> default timeout is 15 minutes. There is a public timeout and a trusted
> timeout. Below is how you do both. Make sure you backup your registry
>
>
> Enabling forms-based authentication
> You must enable Secure Sockets Layer (SSL) on the server before you enable
> forms-based authentication. For additional information about how to install a
> certificate in Microsoft Windows Server 2003 before you enable SSL, click the
> following article number to view the article in the Microsoft Knowledge Base:
> 816794 How to install imported certificates on a Web server in Windows
> Server 2003
> To enable forms-based authentication in Exchange 2003, follow these steps.
>
> Note In a front-end/back-end server environment, you must enable forms-based
> authentication on the front-end server. In an environment where you do not
> use a front-end server, enable forms-based authentication on the mailbox
> server.1. Start Exchange System Manager.
> 2. If administrative groups are enabled, expand Administrative Groups.
> 3. Expand Servers, and then expand your front-end server.
> 4. Expand Protocols, expand HTTP, right-click Exchange Virtual Server, and
> then click Properties.
> 5. Click the Settings tab, and then click to select the Enable Forms Based
> Authentication check box.
> 6. In the Compression list, click the level of compression that you want.
>
> Note We recommend that you do not enable compression in a single-server
> environment because compression in a single-server environment places an
> additional load on the server.
> 7. Click OK.
> 8. If you receive a message that states that the IIS service must be
> restarted, click OK. To restart IIS, type the following command at a command
> prompt: iisreset
>
>
> If you enabled forms-based authentication on a front-end server, follow
> these steps on your back-end servers:1. Start Exchange System Manager.
> 2. If administrative groups are enabled, expand Administrative Groups.
> 3. Expand Servers, and then expand your back-end server.
> 4. Expand Protocols, expand HTTP, and then expand Exchange Virtual Server.
> 5. Right-click the Exchange virtual directory that appears under the
> Exchange Virtual Server container, and then click Properties.
> 6. Click the Access tab, and then click Authentication.
> 7. If it is not already selected, click to select the Basic authentication
> check box.
> 8. Enter a backslash (\) in the Default Domain box.
> 9. Click OK two times to close the property windows.
> back to the top
>
> Setting the cookie authentication time-out
> For your Outlook Web Access logon page, you can give users two types of
> security options for authentication. Depending on their requirements, users
> can select either of these security options on the Outlook Web Access logon
> page:• Public or shared computer - Inform your users to select this option
> when they access Outlook Web Access from a computer that does not use the
> security settings for your organization. For example, an Internet kiosk
> computer does not use the security settings for your organization. The Public
> or shared computer option is the default option and provides a short default
> time-out option of 15 minutes.
> • Private computer - Inform your users to select this option when they are
> the sole operator of the computer and the computer uses the security settings
> for your organization. This option permits a much longer period of inactivity
> before automatically ending the session. Its internal default value is 24
> hours. The Private computer option is intended to benefit Outlook Web Access
> users who use personal computers in their office or in their home.
> Additionally, when Outlook Web Access clients log on by using forms-based
> authentication, they may also choose between the following two types of
> Outlook Web Access client versions: • Premium - This is the default version.
> It provides all Outlook Web Access features.
>
> Note The Outlook Web Access premium client has special code so that typing
> in a message body is considered as activity.
> • Basic - This version provides faster performance but fewer features than
> the premium client. Use this version if you are on a slow connection.
> In Exchange 2003, Outlook Web Access user credentials are stored in a
> cookie. When the user logs off from Outlook Web Access, the cookie is cleared
> and it is no longer valid for authentication. Additionally, by default, if
> your user is using a public computer and selects the Public or shared
> computer option on the Outlook Web Access logon screen, the cookie on this
> computer expires automatically after 15 minutes of user inactivity.
>
> The automatic time-out is valuable because it helps protect a user's account
> from unauthorized access. However, although the automatic time-out greatly
> reduces the risk of unauthorized access, it does not completely eliminate the
> risk that an unauthorized user could access an Outlook Web Access account if
> a session is left running on a public computer. Therefore, make sure that you
> educate users about precautions to take to avoid risks.
>
> To match the security requirements of the organization, an administrator can
> configure the inactivity time-out values on the Exchange front-end server.
> Exchange 2003 uses the following information to determine user activity: •
> Interaction between the client and the server is considered as activity. For
> example, if a user opens, sends, or saves an item, switches folders or
> modules, or refreshes the view or the Web browser window, this is considered
> as activity.
> • If a user enters text in Outlook Web Access items, it is not considered as
> activity. For example, if a user types in appointments, meeting requests,
> posts, contacts, tasks, or other items, this is not considered as activity.
>
> To configure the time-out value, you must first enable forms-based
> authentication and then modify the registry settings on the server.
>
> To set the Outlook Web Access forms-based authentication public computer
> cookie time-out value, follow these steps.
> Warning If you use Registry Editor incorrectly, you may cause serious
> problems that may require you to reinstall your operating system. Microsoft
> cannot guarantee that you can solve problems that result from using Registry
> Editor incorrectly. Use Registry Editor at your own risk.1. On the Exchange
> front-end server, log on by using the Exchange administrator account, and
> then start Registry Editor.
> 2. Locate and then click the following registry subkey:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
> 3. On the Edit menu, point to New, and then click DWORD Value.
> 4. Type PublicClientTimeout for the name of the DWORD, and then press ENTER.
> 5. Right-click the PublicClientTimeout DWORD value, and then click Modify.
> 6. Under Base, click Decimal.
> 7. In the Value data box, type a value that represents the number of minutes
> for the time-out. This number must be between 1 and 43200. (43200 minutes are
> equal to 30 days.) If you do not set a value, a value of 15 is assumed.
>
> Note The maximum possible value is 43200 for 30 days.
> 8. Click OK.
>
> Important You must restart IIS for the changes to take effect. Also, if you
> set the TrustedClientTimeout value to a value that is lower than
> PublicClientTimeout, the TrustedClientTimeout value defaults to be equal to
> the PublicClientTimeout value. Likewise, if you set the PublicClientTimeout
> value to a value that is greater than the TrustedClientTimeout value, the
> TrustedClientTimeout value defaults to be equal to the PublicClientTimeout
> value.
> To set the Outlook Web Access forms-based authentication trusted computer
> cookie time-out value:1. On the Exchange front-end server, log on by using
> the Exchange administrator account, and then start Registry Editor.
> 2. Locate and then click the following registry subkey:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
> 3. On the Edit menu, point to New, and then click DWORD Value.
> 4. Type TrustedClientTimeout for the name of the DWORD, and then press ENTER.
> 5. Right-click the TrustedClientTimeout DWORD value, and then click Modify.
> 6. Under Base, click Decimal.
> 7. In the Value data box, type a value that represents the number of minutes
> for the time-out. This number must be between 1 and 43200. (43200 minutes are
> equal to 30 days.) If you do not set a value, a value of 1440 is assumed.
>
> Note The maximum possible value is 43200 for 30 days.
> 8. Click OK.
> 9. Open a command prompt, type net stop w3svc, and then press ENTER.
> 10. After the services stop, type net start w3svc, and then press ENTER.
> back to the top
>
>
>
>
> "Susan" wrote:
>
> > Is there any way I can increase the time alloted for a user using OWA before
> > it times out?
> >
> > Thanks!
- Next message: Barry: "Re: Problems With SBS 2003 Firewall Client"
- Previous message: Susan: "Re: OWA time-out"
- In reply to: Mike Ash: "RE: OWA time-out"
- Next in thread: Marina Roos [SBS-MVP]: "Re: OWA time-out"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
