Exchange Outlook Web App uses active directory for authentication, but once a user has successfully authenticated using OWA an IIS login token is generated and cached for 15 minutes. This means that for the next 15 minutes even if you exceed the threshold for invalid logon attempts you can still successfully authenticate using OWA. The account will be locked out, but this opens a window of 15 minutes where an attacker can brute force the account. Only after the cached token is deleted you won’t be able to authenticate using OWA.
In order to minimize the caching time do the following:
On your IIS server(s) where OWA resides open regedit and navigate to:
Edit menu, then the
Add menu, select a
32 bit DWORD (or just
UserTokenTTLThen set its value to
This means that user tokens will be cached for 30 seconds by IIS.