Exchange Server 5.5 and 2000's Outlook Web Access (OWA) allows clients to read Exchange-based e-mail through a
web browser. By default, OWA does not allow users to change domain passwords in IIS 5.0, as a way of further securing OWA and domain accounts against attacks.
If you are confident that your security is robust (for instance, if you only allow access to OWA through a VPN, and have strong password rules), you can enable password-changing through OWA. Here's how:
1. Open the directory %Systemroot%System32InetsrvIisadmpwd and verify that there are nine (9) files with the extension .HTR in that directory. Note that the Inetsrv directory may not be in %Systemroot%System32, but it is typically created there by default when IIS is installed.
2. Create a new virtual directory in the default IIS web site (the one that governs OWA access). The virtual directory should have an alias of IISADMPWD and should have a physical location that matches the Iisadmpwd directory above.
3. Set the Read, Run Script and Execute Access privileges on the IISADMPWD virtual directory.
Note that the IISADMPWD will require a secure sockets layer (SSL) connection to work, to prevent submitting information across the Internet in cleartext. You may need to install a server certificate in IIS to make SSL work, if one isn't installed already. You can either use one provided by a third party or generate a certificate with Microsoft Certificate Services 2.0 (including with Windows 2000 Server).
If you set the IISADMPWD virtual directory to use NTLM authentication and have clients who use IE 5.0-5.5, there can be authentication conflicts. To avoid this problem, either turn off NTLM authentication on the directory or use IE 6.0 or higher If you must use NTLM authentication with IE 5.x clients, you will need to add or change a DWORD Registry key on the client to make NTLM authentication work correctly here. The key is named DisableNTLMPreAuth and is found in HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/. Set the value of the key to 1.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.