Authentication Question (Full Version)

All Forums >> [Microsoft Exchange 2010] >> Outlook Web Access


carlo1973 -> Authentication Question (22.Feb.2010 6:41:43 PM)

Hey everyone...

I've noticed something majorly wierd. I recently had to change my password  from within OWA. I've rebooted my system. Even used other browsers. But no matter what I can log in with my old password. Whats really bizare is that I can log in with up to the last 3 passwords I've used on this system (windows xp pro at work) or even my machine I use for testing connectivity outside the company network (linux box). For the one I use work - I can reboot, and log in to other profiles, even those I've never used webmail before in, and it still loads up my webmail with my old passwords. I've tried using a complete different station - and I wasn't able to log in with the old passwords at all. This leads me to believe its a cached credential that is persisitant to the browser. I have not tried to log into webmail under a different profile from my linux box outside the network.

When I log in with my old passwords, I am able to send and recieve email, change settings, including changing the password.

This has me and the others in our I.T. department worried about security. Because this doesn't seem to matter which profile one log's into, and as long as someone uses the same machine, knows one of the older passwords, a person can gain full access to someone else's email.

Has anyone seen or heard of anything like this before? We are using Exchange 2007 on Server 2008.

Page: [1]