Re: 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 17 Jun 2003 13:23:56 -0500

Hi Jim,

Thanks! I appreciate that there is a KB article out before the fix. I
recommend that Basic auth be used for compatibility reasons and that SSL
be used, but I also like the idea of pre-authentication, so its good to
hear that fix is on the way.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Tuesday, June 17, 2003 1:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: 819127 - User Credentials Are Transmitted in
Clear Text When You Access an SSL Outlook Web Access Server by Using
HTTP Protocol


http://www.ISAserver.org


Unfortunately, FP1 doesn't solve the issue.
It's a problem with the way the Web proxy engine itself evaluates
connections; credentials are requested before the protocol is evaluated.
Even if you set the WPR to "require SSL", Basic auth is still
transmitted in
clear text first <sigh>.

We've got a fix in the works, but testing isn't completed yet.  You'll
see a
nice, detailed KB when we ship it.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, June 17, 2003 08:57
Subject: [isalist] 819127 - User Credentials Are Transmitted in Clear
Text
When You Access an SSL Outlook Web Access Server by Using HTTP Protocol


http://www.ISAserver.org


Hey everyone,

This one is worth looking at:

819127 - User Credentials Are Transmitted in Clear Text When You Access
an SSL Outlook Web Access Server by Using HTTP Protocol:
http://support.microsoft.com/default.aspx?scid=kb;en-us;819127

This is a significant problem, since the ability to limit access by
requiring "pre-authentication" at the ISA firewall is a big reason why
ISA blows away the competition. The Workaround is to use passthrough
authentication, which doesn't provide pre-authentication.

However, FP1 does allow delegation of basic authentication and that
would solve the problem. If I were the KB dude in charge of this one, I
would mention that FP1 fixes the issue. If it doesn't, I'm going to get
very sad :(

Thanks!

Tom

Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol
• » Re: 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol
• » Re: 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol
• » RE: 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol
• » RE: 819127 - User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol

1. Home
2. isalist
3. Archive
4. 06-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---