Active Sync - Password Message Not Prompting - After AD pwd expired or new password reset

We have multiple CAS 2010 SP3 server in cas array servicing Active Sync Requests for Blackberrys and Samsung handhelds. 

When a user password is reset on AD . The users BB/Samsung works fine for approx. 24 hours.  After 20/24 hours they will are prompted regarding their password change on the their handheld devices.  Where is the setting I want this to be right away . As soon the password is changed on the AD or may be in 15 minutes. 

Are there any pros and cons here .. or whats the best practice/recommendation???

Thank u

February 26th, 2014 1:46pm

Hi,

This problem occurs because it holds the previous cached entries in the IIS.

Reference - http://support.microsoft.com/kb/267568/en-us

Solution for this  - http://support.microsoft.com/kb/152526/en-us

If you follow the above solution you can modify the default interval for the token cache in the registry and you can see users will be prompted instantly for changing their passwords.

 Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Regards
Sathish

Free Windows Admin Tool Kit Click here and download it now
February 26th, 2014 7:00pm

You can also check this KB article, which speaks to ActiveSync:

http://support.microsoft.com/kb/2612821/en-us


  • Edited by m0j0m1ke Wednesday, February 26, 2014 7:10 PM
  • Marked as answer by WildPacket Monday, March 03, 2014 1:17 PM
February 26th, 2014 7:08pm

Thanks All.

Sathish ... the solution link http://support.microsoft.com/kb/152526/en-us

says under

Collapse imageSYMPTOMS

Internet Information Server (IIS) has a default delay of 15 minutes before users tokens are updated. For example, if you change the password on a user account, you will be able to connect to the server with both the old password and the new password.

In my handheld devices users case it is around 24 hours approx not 15 minutes?

thoughts????

Free Windows Admin Tool Kit Click here and download it now
February 26th, 2014 9:32pm

WildPacket, per the KB article I linked above:

When an EAS device is set to synchronize items as they arrive (Direct Push), any changes made to the user's account in Active Directory can require 8 to 24 hours before the device recognizes those changes.

When using Direct Push, devices maintain an open connection to the server. Any changes made after the connection is established will not take effect immediately.

February 26th, 2014 9:49pm

Hi WildPacket,

How about the suggestions that m0j0m1ke provided?

Based on my expierence, it should be the solution probably.

 

Waiting for your update.

 

Thanks

Mavis 

Free Windows Admin Tool Kit Click here and download it now
February 28th, 2014 8:41am

Hi WildPacket,

Any update?

 

Thanks

Mavis

March 3rd, 2014 2:00am

Hi Wildpacket,

As said by m0j0m1k once active sync establishes continuous sync (direct push) it takes 8 to 24 hours to recognize the changed password.

Any update on this ?

Free Windows Admin Tool Kit Click here and download it now
March 14th, 2014 3:42am

Hi Satish ...

As per m0j0m1k it seems that whats happening.   In our case it appears to be 24 hours.

I guess I cannot change this behaviour???? 

March 17th, 2014 12:12pm

As a workaround, you may disable the "Exchange ActiveSync" and OWA under Mailbox Features for a while and Enable them in several minutes.
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2015 1:53am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics