How to Set the Outlook Web Access Forms-Based Authentication Public Computer Cookie Time-Out Value

 

In Microsoft® Exchange Server 2003, Outlook Web Access user credentials are stored in a cookie. When the user logs off Outlook Web Access, the cookie is cleared and it is no longer valid for authentication. Additionally, by default, if your user is using a public computer, and selects the Public or shared computer option on the Outlook Web Access logon screen, the cookie on this computer expires automatically after 15 minutes of user inactivity.

The automatic time-out is valuable because it helps protect a user's account from unauthorized access. To match the security requirements of your organization, an administrator can configure the inactivity time-out values on the Exchange front-end server. To configure the time-out value, you must modify the registry settings on the server.

Before You Begin

Warning

Although the automatic time-out greatly reduces the risk of unauthorized access, it does not completely eliminate the possibility that an unauthorized user might access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you educate users about precautions to take to avoid risks.

Procedure

  1. On the Exchange front-end server, log on with the Exchange administrator account, and then start Registry Editor (regedit).

  2. In Registry Editor, locate the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    MSExchangeWeb\OWA
    
  3. On the Edit menu, point to New, and then click DWORD Value.

  4. In the details pane, name the new value PublicClientTimeout.

  5. Right-click the PublicClientTimeout DWORD value, and then click Modify.

  6. In Edit DWORD Value, under Base, click Decimal.

  7. In the Value Data box, type a value (in minutes) between 1 and 432,000.

  8. Click OK.

For More Information