Hi @This is Parya ,
I've also read from some articles that this behavior(OWA can still be accessed using old password) could be related to the IIS token caching which is 15 min by default. I tried doing much research on this, but didn't see it documented anywhere about how to view this default value in Exchange. But we can control this value by adding the registry settings:
- Start Registry Editor (regedit) on the server that is running IIS and through which the user gains access to OWA.
- Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters - On the Edit menu, click Add Value, and then add the following registry value:
Value Name: UserTokenTTL (This is case-sensitive.)
Data Type: REG_DWORD
Base: Decimal
Value Range: 0 – 1098907647 (This unit is in seconds.)
- Exit Registry Editor, and then restart IIS.
However, considering that in your scenario, "it happens once for example in every 10 tries for changing passwords", so I am assuming that other factors might be also involved, so adjusting the UserTokenTTL registry setting won't necessarily solve this issue.
Then I did further research and found the article below which discusses a relevant topic. According to the information shared there, various factors could have effect on how long a user will still be able to use the old password to access their OWA, such as the browser the user is using and whether the user already has an active open session in OWA when the password is changed.
How to: Users still have access to Outlook Web Access after disabling account or changing password
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
With the above being said, next time when this issue occurs, it's suggested to try one ofthe following methods to force clear the token cache and check the result:
Method 1: Reset IIS.
One the server or servers the user connects to, open Command Prompt as an administrator, type "iisreset", press Enter. Or you can use the Services.msc snap-in to manually restart the IIS Admin service.
Method 2: Recycle the App pools
Open IIS manager, click Application Pools, right-click MSExchangeOWAAppPool, and then click Recycle.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.