Set Cookie authentication timeout

The Outlook Web Access logon page provides two types of authentication security options. You can select any of the following security options on the Outlook Web Access logon page as needed:

•

"Public or shared computer"-tells users to select this option when they Access Outlook Web Access from a computer that never uses security settings for an organization. For example, the Internet kiosk computer does not use Security Options for organizations. The "public or shared computer" option is the default option and provides a 15-minute short default timeout option.

•

"Private Computer"-when a user is the only operator of a computer and the computer uses security settings for your organization, tell them to select this option. This option allows a longer period of inactivity before the session is automatically ended. Its internal default value is 24 hours. The "private computer" option is intended to facilitate the use of personal computer Outlook Web Access users in the office or home.

In addition, when the Outlook Web Access client uses form-based authentication for logon, they can also be selected between the following two types of Outlook Web Access Client versions:

•	Premium-this is the default version. It provides all Outlook Web Access functions. Note:: The Outlook Web Access Premium client has special code, so typing the body of the email is considered an activity.
•	Basic-This version provides faster performance, but has fewer features than Premium clients. This version is used if low-speed connections are used.

In Exchange 2003, Outlook Web Access user creden。 are stored in cookies. When a user logs out of Outlook Web Access, the Cookie is cleared and no longer valid for authentication. In addition, by default, if you use a public computer and select the "public or shared computer" option on the Outlook Web Access logon screen, the Cookie on this computer automatically expires 15 minutes after the user is inactive.
Automatic timeout is important because it helps prevent unauthorized access to the user's account. However, although automatic timeout significantly reduces the risk of unauthorized Access, it does not completely eliminate the risk of unauthorized Access to Outlook Web Access accounts when a session is running on a public computer. Therefore, be sure to instruct the user to take preventive measures to avoid risks.
To meet the security requirements of an organization, the administrator can configure the inactivity timeout value on the Exchange front-end server. Exchange 2003 uses the following information to determine user activities:

•	The interaction between the client and the server is considered an activity. For example, operations such as opening, sending, or saving an entry, switching folders or modules, or refreshing views or Web browser windows are considered active.
•	If you enter text in the Outlook Web Access project, it is not considered as an activity. For example, if you type a appointment, meeting requirement, posting, contact, task, or other project, it is not considered an activity.

To configure the timeout value, you must first enable form-based authentication and then modify the registry settings on the server.
To set a form-based authentication Public Computer Cookie timeout value for Outlook Web Access, follow these steps:
Warning: Improper use of the Registry Editor can cause serious problems. You may need to reinstall the operating system. Microsoft cannot guarantee that you can solve problems caused by improper use of the Registry Editor. You are at your own risk to use the Registry Editor.

1.	Log on to the Exchange front-end server using the Exchange Administrator account, and then start the Registry Editor.
2.	Locate and click the following registry subitem: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ MSExchangeWeb \ OWA
3.	On the "edit" menu, point to "new" and click "DWORD Value ".
4.	TypePublicClientTimeoutAs the DWORD name, and then press Enter.
5.	Right-click the "PublicClientTimeout" DWORD Value and click "modify ".
6.	Under "base", click "decimal ".
7.	In the value data box, type a value that indicates the number of timeout minutes. This number must be between 1 and 43200. 43200 minutes equals 30 days .) If you do not set a value, the default value is 15. Note:: The maximum value is 43200, that is, 30 days.
8.	Click OK ". Important: You must restart IIS to make these changes take effect. In addition, if you set the TrustedClientTimeout value to a value smaller than PublicClientTimeout, The TrustedClientTimeout value is equal to the PublicClientTimeout value by default. Similarly, if you set the PublicClientTimeout value to a value greater than the TrustedClientTimeout value, the TrustedClientTimeout value is equal to the PublicClientTimeout value by default.

Set the Cookie timeout value for form-based authentication trusted computers for Outlook Web Access:

1.	Log on to the Exchange front-end server using the Exchange Administrator account, and then start the Registry Editor.
2.	Locate and click the following registry subitem: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ MSExchangeWeb \ OWA
3.	On the "edit" menu, point to "new" and click "DWORD Value ".
4.	TypeTrustedClientTimeoutAs the DWORD name, and then press Enter.
5.	Right-click the "TrustedClientTimeout" DWORD Value and click "modify ".
6.	Under "base", click "decimal ".
7.	In the value data box, type a value that indicates the number of timeout minutes. This number must be between 1 and 43200. 43200 minutes equals 30 days .) If you do not set a value, the default value is 1440. Note:: The maximum value is 43200, that is, 30 days.
8.	Click OK ".
9.	Open a command prompt and typeNet stop w3svcAnd press Enter.
10.	After the service is stopped, TypeNet start w3svcAnd press Enter.