We are in the process of moving mailboxes from our 2010 environment to our 2013 environment and are using the 2013 CAS as internet facing, for any mailboxes on 2010, requests are proxied through.

We have the registry DWORD ChangeExpiredPasswordEnabled set to 1 in HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA but this isn't working.

It use to work perfectly well when we had the 2010 CAS server internet facing.

Is this still supported in Exchange 2013?

Hello,

There seems no article to explain this point.

For my personal, I consider this methods is ok.

Did you restart iis after you changed registry?

If you have any feedback on our support, please click here

I don't actually remember setting this manually... I went looking to set it and found it already set.  

The server itself has been restarted a few times so it should have kicked in

I don't actually remember setting this manually... I went looking to set it and found it already set.  

The server itself has been restarted a few times so it should have kicked in

yeah - I JUST installed Exchange 2013 on this box and the registry key is set, but it does not appear to be working. :(

Hello,

There may exist cache age after you modify your password and AD replication problem, please wait 15s-20s and check the result.

If you have any feedback on our support, please click here

Hello,

There may exist cache age after you modify your password and AD replication problem, please wait 15s-20s and check the result.

If you have any feedback on our support, please click here

I'm with tyler gohl on this, it's got nothing to do with AD replication.  It worked on Exchange 2010, but not on Exchange 2013

Anybody else have any ideas?

Hello,

Sorry for my misunderstanding.

For your issue, I will research further and I suggest you contact microsoft support. Maybe they have some ideas.

If you have any feedback on our support, please click here

Hello,

Sorry for delayed response.

At present, I still doesn't get more related information.

Is there any update?

If you have any feedback on our support, please click here

Hello,

At present, there is not still for technet article to explain whether the ways can works in exchange 2013.

I suggest you upgrade exchange 2013 cu1 and check the result.

If you have any feedback on our support, please click here

I can confirm that this is an issue that we are seeing as well.  The registry already had this feature enabled.

Exchange 2013 CU1 (installed right from CU1) co-existing with 2010.  2010 Mailboxes with 2010 CAS are still able to change passwords.

Hello,

Maybe the ways doesn't work in exchange server 2013.

I still suggest you contact microsoft support to verify the issue.

If you have any feedback on our support, please click here

After opening a support case, it looks like enabling HTTP Redirection in IIS (under Default Website) was the cause.  When we disabled it, it worked. 

HTTP redirection should be configured for iisstart.htm (not for the entire site) if you want to redirect to /owa.

They didn't say -- it was enabled as the default as well for a new install Exchange 2013 CU1 here as well and I mentioned this to them.

Very interesting indeed.
@Ed Cho
Are you really able to log on with an expired account and are prompted to change the password when you do??

I have tested this in several different Exchange 2013 enviroments (both RTM and CU1) and it doesn't work.
To me it seems that this is just another thing with OWA that doesn't work (Disable OWA Access is someting else that doesn't work)

Yes -- I double checked that I had the registry key on 2013 and then called them. 

After a few hours of troubleshooting, they suggested that I disable HTTP redirection in IIS, after performing the action, we were able to make the password change form appear. 

They did check our AD domain functional level (ours is 2008 I believe).  Also might help to note that our 2013 box is on a 2012 server.

@Ed Cho
Can you tell us if you are able to log on with an expired account and are prompted to change the password when you do??

@Ed Cho
Can you tell us if you are able to log on with an expired account and are prompted to change the password when yo

Yes -- we are able to logon with an expired account and it does prompt us to change the password.

After opening a support case, it looks like enabling HTTP Redirection in IIS (under Default Website) was the cause.  When we disabled it, it worked. 

HTTP redirection should be configured for iisstart.htm (not for the entire site) if you want to redirect to /owa.

After opening a support case, it looks like enabling HTTP Redirection in IIS (under Default Website) was the cause.  When we disabled it, it worked. 

HTTP redirection should be configured for iisstart.htm (not for the entire site) if you want to redirect to /owa.

Hmmm.. Apparently we don't have HTTP redirection turned on, but it still doesn't appear to be working for us.  Did they make any other adjustments?

Before that step, they also made us delete the web.config file under the wwwrooot so that it would be recreated from the defaults but that didn't do anything for us.

Before that step, they also made us delete the web.config file under the wwwrooot so that it would be recreated from the defaults but that didn't do anything for us. 

You are referring to HTTP -> HTTPS redirection and not https://servername -> https://servername/owa redirection right?

I'm referring to the HTTP redirection under features in IIS. 

That was turned on (it was actually installed that way) and we turned it off for the password change to work. 

I don't have HTTP redirection enabled within IIS and it's not working for me.

Any other suggestions?

I opened up a case with Microsoft and we've done 2 things, not sure which has fixed it.

1) On the password policy for the domain, set the min password age as 0 days (previously set as 1)

2) On the CAS server, under IIS, Default Websit, OWA, Authentication and on Basic Authentication set the default domain to "\"

This has resolved the issue for us. 

Thanks adamf83.  In our case #2 was the fix.

I wonder if Get-OWAVirtualDirectory | Set-OWAVirtualDirectory -DefaultDomain "\" would accomplish the same thing?