Cause
Users' tokens used for access to OWA are cached by IIS. When user logs on to Exchange mailbox via web browser, the user's token is created.
If the account's credentials (login or password) are subsequently changed, or account is disabled, the user can still access the mailbox during some period of time using the old credentials.
According to the Microsoft documentation this cache expiration time is about 15 minutes. Actually this value can be greater.
Resolution
You can force the expiration of the IIS token cache by restarting the IIS services:
- On each Exchange Front-end servers run the "Internet Information Services (IIS) Manager" snap-in (Start / Programs / Administrative Tools / Internet Information Services (IIS) Manager).
- In the left pane left click on the local computer node (for EXFE01 it was "EXFE01 (local computer)").
- Select "All Tasks" / "Restart IIS...". Message box will be opened.
- In the list box select "Restart Internet Services on ..." (selected by default) and click "OK".
You can change the default interval for the token cache:
- On each Exchange Front-end servers run the registry editor (regedit.exe).
- Locate the followin key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters
- Within this key add DWORD value UserTokenTTL with decimal value 300 (IIS refresh tokens cache every 300 seconds = 5 minutes).