|
John Weber -> RE: OWA auto disconnect timeout (15.Jan.2008 11:52:41 AM)
|
make these changes are your own peril...however, they work just fine.
Setting the cookie authentication time-out
For your Outlook Web Access logon page, you can give users two types of security options for authentication. Depending on their requirements, users can select either of these security options on the Outlook Web Access logon page:
•
Public or shared computer - Inform your users to select this option when they access Outlook Web Access from a computer that does not use the security settings for your organization. For example, an Internet kiosk computer does not use the security settings for your organization. The Public or shared computer option is the default option and provides a short default time-out option of 15 minutes.
•
Private computer - Inform your users to select this option when they are the sole operator of the computer and the computer uses the security settings for your organization. This option permits a much longer period of inactivity before automatically ending the session. Its internal default value is 24 hours. The Private computer option is intended to benefit Outlook Web Access users who use personal computers in their office or in their home.
Additionally, when Outlook Web Access clients log on by using forms-based authentication, they may also choose between the following two types of Outlook Web Access client versions:
•
Premium - This is the default version. It provides all Outlook Web Access features.
Note The Outlook Web Access premium client has special code so that typing in a message body is considered as activity.
•
Basic - This version provides faster performance but fewer features than the premium client. Use this version if you are on a slow connection.
In Exchange 2003, Outlook Web Access user credentials are stored in a cookie. When the user logs off from Outlook Web Access, the cookie is cleared and it is no longer valid for authentication. Additionally, by default, if your user is using a public computer and selects the Public or shared computer option on the Outlook Web Access logon screen, the cookie on this computer expires automatically after 15 minutes of user inactivity.
The automatic time-out is valuable because it helps protect a user's account from unauthorized access. However, although the automatic time-out greatly reduces the risk of unauthorized access, it does not completely eliminate the risk that an unauthorized user could access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you educate users about precautions to take to avoid risks.
To match the security requirements of the organization, an administrator can configure the inactivity time-out values on the Exchange front-end server. Exchange 2003 uses the following information to determine user activity:
•
Interaction between the client and the server is considered as activity. For example, if a user opens, sends, or saves an item, switches folders or modules, or refreshes the view or the Web browser window, this is considered as activity.
•
If a user enters text in Outlook Web Access items, it is not considered as activity. For example, if a user types in appointments, meeting requests, posts, contacts, tasks, or other items, this is not considered as activity.
To configure the time-out value, you must first enable forms-based authentication and then modify the registry settings on the server.
To set the Outlook Web Access forms-based authentication public computer cookie time-out value, follow these steps.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
1.
On the Exchange front-end server, log on by using the Exchange administrator account, and then start Registry Editor.
2.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
3.
On the Edit menu, point to New, and then click DWORD Value.
4.
Type PublicClientTimeout for the name of the DWORD, and then press ENTER.
5.
Right-click the PublicClientTimeout DWORD value, and then click Modify.
6.
Under Base, click Decimal.
7.
In the Value data box, type a value that represents the number of minutes for the time-out. This number must be between 1 and 43200. (43200 minutes are equal to 30 days.) If you do not set a value, a value of 15 is assumed.
Note The maximum possible value is 43200 for 30 days.
8.
Click OK.
Important You must restart IIS for the changes to take effect. Also, if you set the TrustedClientTimeout value to a value that is lower than PublicClientTimeout, the TrustedClientTimeout value defaults to be equal to the PublicClientTimeout value. Likewise, if you set the PublicClientTimeout value to a value that is greater than the TrustedClientTimeout value, the TrustedClientTimeout value defaults to be equal to the PublicClientTimeout value.
To set the Outlook Web Access forms-based authentication trusted computer cookie time-out value:
1.
On the Exchange front-end server, log on by using the Exchange administrator account, and then start Registry Editor.
2.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
3.
On the Edit menu, point to New, and then click DWORD Value.
4.
Type TrustedClientTimeout for the name of the DWORD, and then press ENTER.
5.
Right-click the TrustedClientTimeout DWORD value, and then click Modify.
6.
Under Base, click Decimal.
7.
In the Value data box, type a value that represents the number of minutes for the time-out. This number must be between 1 and 43200. (43200 minutes are equal to 30 days.) If you do not set a value, a value of 1440 is assumed.
Note The maximum possible value is 43200 for 30 days.
8.
Click OK.
9.
Open a command prompt, type net stop w3svc, and then press ENTER.
10.
After the services stop, type net start w3svc, and then press ENTER.
Pasted from <http://support.microsoft.com/default.aspx?scid=kb;en-us;830827&Product=exch2003>
|
|
|
|