Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol


View products that this article applies to.

Symptoms

User credentials are not encrypted when they are transmitted. This symptom occurs you configure a Microsoft Outlook Web Access (OWA) Web publishing rule by using the functionality that is provided by Internet Security and Acceleration (ISA) Server 2000 Feature Pack 1, and you use the following configuration:
  • You click to select the Enable SSL. Clients must use SSL to connect to the ISA Server check box in the publishing rule.

    -and-
  • You configure one of the following settings:
    • You apply the OWA publishing rule to specific users or groups. To do this, you open the rule properties, click the Applies To tab, click Users and groups specified below, and then add users or groups.

      -or-
    • You configure the Incoming Web requests listener to ask unauthenticated users for identification. To do this, you open the server properties, click the Incoming Web Requests tab, and then click to select the Ask unauthenticated users for identification check box.
An external client who tries to access the OWA server by using the HTTP protocol is prompted to submit their credentials, but the user credentials are not encrypted when they are transmitted. In this case, you expect the user to be denied access when the client computer tries to access the OWA server by using the HTTP protocol because the user cannot submit their credentials unless they access the site by using Secure Hypertext Transfer Protocol (HTTPS).

↑ Back to the top


Cause

This issue occurs because the ISA Server 2000 rules engine processes User Authentication rules before it processes the Secure Sockets Layer (SSL) requirement rules. When SSL is required, ISA Server permits a non-SSL connection and prompts the user for their credentials to process the User Authentication rules that are in place. After this, the request is processed by using other rules that are in place, such as SSL requirement rules.

↑ Back to the top


Workaround

To work around this issue, configure ISA Server pass-through authentication for incoming Web requests. In this workaround procedure, the internal Web server performs user authentication instead of the ISA Server computer. To perform this workaround, configure the ISA Server computer so that it does not perform validation of incoming user requests.

↑ Back to the top


More information

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
313072 HOW TO: Configure the Web Publishing Service to Work with Internet Security and Acceleration Server in Windows 2000
300435 HOW TO: Publish Multiple Web Sites by Using ISA Server in Windows 2000

↑ Back to the top


Keywords: KB819127, kbbug, kbprb

↑ Back to the top

Article Info
Article ID : 819127
Revision : 2
Created on : 6/11/2003
Published on : 6/11/2003
Exists online : False
Views : 367