User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol

User credentials are not encrypted when they are transmitted. This symptom occurs you configure a Microsoft Outlook Web Access (OWA) Web publishing rule by using the functionality that is provided by Internet Security and Acceleration (ISA) Server 2000 Feature Pack 1, and you use the following configuration:

• You click to select the Enable SSL. Clients must use SSL to connect to the ISA Server check box in the publishing rule.
  
  -and-
• You configure one of the following settings:
  • You apply the OWA publishing rule to specific users or groups. To do this, you open the rule properties, click the Applies To tab, click Users and groups specified below, and then add users or groups.
    
    -or-
  • You configure the Incoming Web requests listener to ask unauthenticated users for identification. To do this, you open the server properties, click the Incoming Web Requests tab, and then click to select the Ask unauthenticated users for identification check box.

An external client who tries to access the OWA server by using the HTTP protocol is prompted to submit their credentials, but the user credentials are not encrypted when they are transmitted. In this case, you expect the user to be denied access when the client computer tries to access the OWA server by using the HTTP protocol because the user cannot submit their credentials unless they access the site by using Secure Hypertext Transfer Protocol (HTTPS).

This issue occurs because the ISA Server 2000 rules engine processes User Authentication rules before it processes the Secure Sockets Layer (SSL) requirement rules. When SSL is required, ISA Server permits a non-SSL connection and prompts the user for their credentials to process the User Authentication rules that are in place. After this, the request is processed by using other rules that are in place, such as SSL requirement rules.

To work around this issue, configure ISA Server pass-through authentication for incoming Web requests. In this workaround procedure, the internal Web server performs user authentication instead of the ISA Server computer. To perform this workaround, configure the ISA Server computer so that it does not perform validation of incoming user requests.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base: