Does Entourage cache password expiration notices?

[Jamie_Rasmussen]

Version: 2008
Operating System: Mac OS X 10.5 (Leopard)
Processor: Intel
Email Client: Exchange

Good morning, Everyone.

We recently migrated my company's users from their previous mail solution to Entourage/Exchange (basically added my users to our parent organization's existing AD and Exchange infrastructure). Last week, our CTO noticed an impending password expiration notice in webmail (domain policy requires a refresh every 90 days). As forcing a password change right now would cause Bad Things, the decision was made to temporarily disable this policy (until our users can be properly trained up).

Flash forward seven days to this morning, when every user—upon firing up Exchange for the first time of the day—was prompted with the "Logon failure: unknown username or password" error dialog. After re-entering their current passwords, users' mail connections were restored. Subsequent restarts of Entourage and rebooting of machines has proven that the "new" (old) password has been properly saved in the Keychain.

My question is this: Did Entourage cache the password expiration notice it received from the server last week, and even though the password expiration was halted, “helpfully” expire (or forget) users’ passwords anyway?

Thank you,
--Jamie Rasmussen

P.S. Environment is a mix of 10.4.11 and 10.5.6 Macs running Entourage 12.1.5 connecting to an Exchange 2007 infrastructure.

 

[William Smith [MVP]]

My question is this: Did Entourage cache the password expiration
notice it received from the server last week, and even though the
password expiration was halted, “helpfully” expire (or forget) users’
passwords anyway?

Entourage does not store that information. It comes directly from your
Active Directory servers when Entourage attempts authentication through
Exchange.

The "impending password expiration notice" was just that, impending.
Your boss was being notified that he'll soon have to change his
password, not change it immediately. Entourage will do this too starting
about six days before the change is required.

My guess is that your Entourage users saved their passwords, which are
stored in the Mac OS X keychain, and later you had your "change
password" training. They all changed their passwords. Then they launched
Entourage. Entourage tried the old saved password and told them "This
password doesn't work. Do you want to try a different password?" Users
enter their new password and everything worked.

This is normal behavior.

Or did your AD admin disable password expiration notifications but not
disable password expirations themselves?

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Jamie Rasmussen]

William,

No one changed their passwords. That was the point of turning off the
global 90-day expiration rule on the server‹‹the users are not at a point
where a password change would go smoothly at all (once I get them all
integrated into the AD forest, which is the next thing with which I've been
tasked, we'll be ready for that). There is a lot of corporate inertia here
(mostly bad practices) that we're trying to overcome....but baby steps are
necessary in this environment.

As it turns out, after reviewing the Exchange server logs with a Microsoft
engineer, there was a permissions issue on the server with the temp
directories that was affecting not only my Mac users, but the Windows users
in the parent organization as well (however, Outlook was not presenting
those users with any authentication errors, just quietly trying again).
Apparently, Outlook is a little more fault-tolerant than Entourage.

To summarize, the permissions problem on the server has been corrected, and
there have been no more authentication issues.

Thanks,
--Jamie