Hi Jim, Thanks! I appreciate that there is a KB article out before the fix. I recommend that Basic auth be used for compatibility reasons and that SSL be used, but I also like the idea of pre-authentication, so its good to hear that fix is on the way. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, June 17, 2003 1:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol http://www.ISAserver.org Unfortunately, FP1 doesn't solve the issue. It's a problem with the way the Web proxy engine itself evaluates connections; credentials are requested before the protocol is evaluated. Even if you set the WPR to "require SSL", Basic auth is still transmitted in clear text first <sigh>. We've got a fix in the works, but testing isn't completed yet. You'll see a nice, detailed KB when we ship it. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, June 17, 2003 08:57 Subject: [isalist] 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol http://www.ISAserver.org Hey everyone, This one is worth looking at: 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol: http://support.microsoft.com/default.aspx?scid=kb;en-us;819127 This is a significant problem, since the ability to limit access by requiring "pre-authentication" at the ISA firewall is a big reason why ISA blows away the competition. The Workaround is to use passthrough authentication, which doesn't provide pre-authentication. However, FP1 does allow delegation of basic authentication and that would solve the problem. If I were the KB dude in charge of this one, I would mention that FP1 fixes the issue. If it doesn't, I'm going to get very sad :( Thanks! Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')