Outlook Web Access (OWA) maintains internal settings for how long a given OWA session will remain open without the user needing to log back in. When this time limit expires, the user will be prompted for a new login for the sake of security.
OWA also maintains two separate values for timeouts -- one for logins from trusted clients (such as an
Requires Free Membership to View
intranet or a VPN), and
another for logins from public clients (such as a shared computer). Both values are set in the
registry on the Exchange server that hosts OWA, and can be edited depending on your needs.
The trusted-client timeout is stored as a DWORD, calibrated in minutes, at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange
WEB\OWA\TrustedClientTimeout
For public clients, it's a different value in the same branch:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange
WEB\OWA\PublicClientTimeout (also a DWORD calibrated in minutes)
The default timeout for trusted clients is 24 hours; the default timeout for public clients is 15 minutes. The PublicClientTimeout value can never be larger than the TrustedClientTimeout value.
If your company policy is exceptionally strict, you can set the public client timeout to a mere five minutes. If you're confident that only properly authenticated users will be accessing your intranet desktops, you can set the value for trusted clients as high as 43200, or 30 days.
In theory, both values can be set to 43200, but it's a bad idea to do this for public clients, since you can't always count on users to properly log out when using a public terminal.
Remember that if you make any of these changes, you'll need to restart Internet Information Services (IIS).
"Activity" is a key factor in all this, since an inactive connection is what triggers a timeout. Microsoft defines client "activity" as any interaction between the client and server, such as opening, sending, saving, switching folders, or refreshing the browser.
Typing in appointments, meeting requests, posts, contacts, or tasks is not considered activity. However, an MS Exchange Blog post about forms-based authentication -- the OWA logon security feature introduced in Exchange Server 2003 -- indicates that composing a new message or editing an existing one doesn't count towards the OWA timeout value.
About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.
Do you have comments on this tip? Let us know.
Related information from SearchExchange.com:
- Expert Advice: Troubleshooting Outlook Web Access user login issues
- Tip: Don't lock out users when making domain account changes
- FAQ: Outlook Web Access
- Administration Guide: Outlook Web Access
- Reference Center: Outlook Web Access tips and resources
-
Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.
This was first published in December 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation