Tweaking Outlook Web Access timeout options

Outlook Web Access (OWA) maintains two values for timeout options -- one for trusted clients and another for public clients. Learn how to customize OWA timeout options in the registry for optimal security.

Outlook Web Access (OWA) maintains internal settings for how long a given OWA session will remain open without the user needing to log back in. When this time limit expires, the user will be prompted for a new login for the sake of security.

OWA also maintains two separate values for timeouts -- one for logins from trusted clients (such as an intranet or a VPN), and another for logins from public clients (such as a shared computer). Both values are set in the registry on the Exchange server that hosts OWA, and can be edited depending on your needs.

The trusted-client timeout is stored as a DWORD, calibrated in minutes, at:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange
WEB\OWA\TrustedClientTimeout

For public clients, it's a different value in the same branch:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange
WEB\OWA\PublicClientTimeout
(also a DWORD calibrated in minutes)

The default timeout for trusted clients is 24 hours; the default timeout for public clients is 15 minutes. The PublicClientTimeout value can never be larger than the TrustedClientTimeout value.

If your company policy is exceptionally strict, you can set the public client timeout to a mere five minutes. If you're confident that only properly authenticated users will be accessing your intranet desktops, you can set the value for trusted clients as high as 43200, or 30 days.

In theory, both values can be set to 43200, but it's a bad idea to do this for public clients, since you can't always count on users to properly log out when using a public terminal.

Remember that if you make any of these changes, you'll need to restart Internet Information Services (IIS).

"Activity" is a key factor in all this, since an inactive connection is what triggers a timeout. Microsoft defines client "activity" as any interaction between the client and server, such as opening, sending, saving, switching folders, or refreshing the browser.

Typing in appointments, meeting requests, posts, contacts, or tasks is not considered activity. However, an MS Exchange Blog post about forms-based authentication -- the OWA logon security feature introduced in Exchange Server 2003 -- indicates that composing a new message or editing an existing one doesn't count towards the OWA timeout value.

About the author: Serdar Yegulalp is editor of  Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share?  Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.

This was first published in December 2006

Dig deeper on Outlook Web Access

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close