分享
 
 
 

Exchange 2003 OWA中修改密码[from http://www.msexchange.org]

王朝other·作者佚名  2006-04-24
窄屏简体版  字體: |||超大  

Installing the Microsoft Certificate Service

To install the CA component, log on to the server that抯 going to hold the CA service, and then do the following:

1. Click Start | Control Panel | Add or Remove Programs.

2. Select Add/Remove Windows Components.

3 Put a check mark in the Certificate Services box

A Microsoft Certificate Services warning dialog box will appear. The box informs you that you cannot change the machine name or the domain membership of the machine while it acts as a certificate server. Read and take note of this message; otherwise, you could end up in quite a mess.

4. Click Yes, then click Next.

5. Select Enterprise root CA (recommended when you have an AD), then click Next

Reality Check…

When dealing with OWA environments, you should typically choose to install an enterprise root certificate service unless a standalone root certificate service is specifically required. We won’t go into detail on the differences between the types of CA in this book, but if you want to read more about them, we suggest you take a look at the following two links at Microsoft Technet:

Enterprise certification authorities www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CSEnterCA.asp?frame=true

Stand-alone certification authorities www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CSStandCA.asp?frame=true

Alternatively, check your CA server Help file.

In the screen that appears , type in a common name for this CA. The common name of the CA is typically the DNS host name or NetBIOS name (computer name) of the server running the certificate services. In this specific example, the name of the machine is TESTS01, so we will enter TESTS01 in the Common name field. The default Validity Period of the CA self-signed certificate is five years, which in most cases should be sufficient, so leave this setting at the default. Click Next.

6. On the Certificate Database Settings page , use the default locations for the Certificate Database and Certificate Database Log. Note that when the server is part of an Active Directory, it's typically not necessary to store configuration information in a shared folder. Click Next.

7. Another warning dialog box will appear. This time it informs you that to complete the installation, the IIS must be stopped temporarily. Click Yes.

8. The wizard will now complete the installation of the Certificate Authority Services. Click Finish

9. Close the Add or Remove Components window.

The CA is now installed, and we can issue the necessary SSL certificate to our OWA virtual directories.

Creating the Certificate Request

Now that we have installed the online Certificate Authority Service, it's time to create the Certificate Request for our Exchange 2003 server's default Web site. Do the following:

1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. Expand Web Sites, right-click Default Web Site, and select Properties.

3. Click the Directory Security tab

4.Under Secure Communications, click the Server Certificate button. You will be presented with the Web Server Certificate Wizard screen shown. Click Next.

5. Because we are going to create a new certificate, leave this screen to with its default settings. Click Next.

6. Because we’re configuring an online enterprise authority, select the Send the request immediately to an online certificate authority option from the Delayed or Immediate Request screen. Click Next.

7. In the next screen that appears, enter a name for the certificate in the Name text box . This is only a descriptive name, meaning it doesn’t affect the functionality of the certificate in any way, so enter something that describes the certificate. Because the default bit length key in most situations is sufficient, leave it at its default value of 1024. (This bit length is capable of generating 128-bit encryption, which is what we’re going to use.) Click Next.

8. We now have the option of specifying our organization and organizational unit. Using the defaults is just fine. Click Next.

9.In the screen that appears, we need to pay extra attention, since the common name reflects the external fully qualified domain name (FQDN). This is the address external users have to type in their browsers to access OWA from the Internet. If this common name doesn’t match the name (FQDN) that the OWA clients connect to, the client will see an error message. Type your site’s FQDN in the Common name field. Click Next.

10. Type your information in the Country/Region, State/province, and City/locality boxes. Click Next.

11.We now have the option of specifying the SSL port for the Web site. Because SSL typically uses port 443, leave the defaults. Click Next.

12.In following Figure, select the respective certification authority. Since we only have one in this example, leave the defaults. Click Next.

13.We now have a chance to review the information we specified throughout the IIS Certificate Wizard. If you find you made a mistake, this is your final chance to correct it. Carefully review the information in the Certificate Request Submission screen, and if you’re satisfied, click Next and then click Finish.

Note

Because the SSL certificates were created using an online CA, SSL has been enabled automatically (see Figure 5.28). If you used a third-party certificate or an offline CA, you would have to manually put a check mark in Require secure channel (SSL) and Require 128-bit encryption.

SSL has now been enabled on our default Web site using our own Enterprise Certificate Service. Let’s see if it works as it’s supposed to.

14. From a client, launch Internet Explorer, then type http://exchangeserver/exchange. You should see an error message like the one shown in Figure

15. Now type https://tests01/exchange instead. You will be presented with a Security Alert box like the one shown in Figure .

Note

The yellow warning icon tells us The name on the security certificate is invalid or does not match the name of the site. This is expected, since during this little test we aren’t accessing the site via its common name (mail.testdomain.com).

16.Click Yes. You will now be prompted for a valid username/password, as shown in Figure

17.Enter a valid username and password, and your OWA session will load (see Figure ).

Notice the little yellow lock icon in the lower-right corner of the screen; this indicates we’re viewing a secure site, so fortunately our SSL-enabled OWA site works correctly.

Allowing Password Changes Through OWA

In this section you will learn how to enable the Change Password functionality in OWA 2003.

Because of Microsoft’s Trustworthy Computing initiative, one of the OWA 2003 things that is disabled by default is the user’s option to change his or4 her account password through the OWA 2003 interface. As you might remember, this option was enabled by default in Exchange Server 2000, but many organizations actually disabled the feature because, before Windows 2000 Service Pack 4, it was considered quite insecure. Before Microsoft released Windows 2000 Service Pack 4, the technology for changing passwords through OWA (or more specifically, through IIS) was based on HTR files and an ISAPI extension (Ism.dll), which potentially exposes the Web server to quite a security risk because the ISAPI extension (Ism.dll) needed to run under the security context of System. This basically means that if the system is compromised, a hacker could get full control over the local machine.

Now the Change Password functionality has been modified to use Active Server Pages (ASPs), which makes the functionality more secure, since it is run under the configurable security context of the current process (such as DLLHost, which uses the user, IWAM_, by default).

Before adjusting the Change Password functionality in OWA 2003, you first need to implement SSL on your OWA server, as shown earlier in this chapter.

Creating the IISADMPWD Virtual Directory

We first need to create a new virtual directory in the IIS Manager, you should therefore do the following:

1. Log on to the Exchange server.

2. Click Start | All Programs | Administrative Tools | Internet Services Manager.

3. Expand Local Computer | Web Sites.

4. Right-click the Default Web Site and point to New, then click Virtual Directory.

5. The Virtual Directory Creation Wizard is launched. Click Next.

6. In the Virtual Directory Creation Wizard, type IISADMPWD in the Alias box, then click Next (see Figure).

7. You now need to specify the directory path. Type C:\windows\system32\inetsrv\iisadmpwd (see Figure), then click Next.

8.Verify that only the Read and Run scripts (such as ASP) check boxes are set, as shown in Figure , then click Next and then Finish.Note

Note

It’s important you only give Read and Run Scripts permissions in Step 8. Giving write permissions would allow a potential hacker to replace the scripts with his own versions!

As you can see in following Figure , we now have a IISADMPWD virtual directory under our default Web sites.

We now have to verify that the IISADMPWD virtual directory has anonymous access enabled. Otherwise, we can end up in situations where the client and server go into a so-called endless loop when you attempt to authenticate users who are prompted to change an expired password. You can read more about this issue in MS KB Article 275457: “IIS 5.0 May Loop Infinitely When A User Is Forced to Change Their Password,” at support.microsoft.com/?id=275457.

9. Right-click the IISADMPWD virtual directory, then select Properties.

10. Select the Directory Security tab, and then under Authentication and access control, click Edit (see Figure).

11. Put a check mark in the Enable anonymous access box, as shown in Figure .

12. Click OK twice and close the IIS Manager.

If you are running Exchange Server 2003 on a Windows Server 2000-based machine, there is one more thing to do: You need to reset the PasswordChangeFlags flag in the IIS 5.x Metabase to zero. This is done the following way:

13. Click Start | Run, and type CMD.

14. Change to the C:\Inetpub\Adminscripts directory by typing cd c:\inetpub\adminscripts, and type adsutil.vbs set w3svc/passwordchangeflags 0.

Enabling the Change Password Button in OWA

Now it’s time to make the Change Password button visible in OWA. You do this in the registry of the Exchange 2003 server:

1. On the Exchange server, click Start | Run and type Regedt32.

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA (see Figure).

3. Change the value of DisablePassword REG_DWORD from 1 to 0 (see Figure)

4. Close the registry editor.

5. Restart the IIS Services—for example, by opening a command prompt and typing IISRESET.

Testing the Change Password Feature in OWA

We now need to check to see if the Change Password option is available, and last but not least, working as it’s supposed to:

1. Launch Internet Explorer.

2. Enter the URL to OWA—in this example, https://mail.testdomain.com.

3. Log on with your username and password.

4. Click the Options button.

5. In the Options window, scroll all the way to the bottom, and click the now visible Change Password button under Password (see Figure).

If it works, you will be presented with the window shown in Figure .

6. To test if we are able to actually change a password, fill out the fields with a valid user account, as shown in Figure 5.44, then click OK. You should now see a message stating that your password was changed successfully.

Depending on your organization’s specific setup, you might experience what is known as lag time (delayed change) when users change their passwords. This is especially true if your domain controllers are located at another site than the OWA servers.

Reality Check…

Be aware that if you have installed Exchange Server 2003 on a Windows Server 2000 machine (with SP3 or earlier), on which you also have run the Urlscan 2.5 security tool, you will get an error message when trying to change your password through OWA. The reason is that by default, the Urlscan 2.5 security tool blocks files with the .HTR extension. (Remember, Windows 2000 SP3 and earlier uses the HTR technology for changing passwords.) To resolve this problem, remove .htr from the Deny Scripts section of the urlscan.ini file (by default located in C:\WINDOWS\system32\inetsrv\urlscan). If you plan to install the Urlscan 2.5 security tool on your Exchange 2003 server, there are quite a few things you should take into consideration, so it’s highly recommended that you read MS KB article 823175, “Fine-Tuning and Known Issues When You Use the Urlscan Utility in an Exchange 2003 Environment,” at http://support.microsoft.com/?kbid=823175.

Note

If OWA is installed on a Windows Server 2000 with Service Pack 4 applied or on a Windows Server 2003-based computer, OWA uses the IIS 6.0 ASP Change Password program. Therefore, OWA is not affected by .htr files that are not enabled.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有