Microsoft KB Archive/836640

= You cannot access Outlook Web Access and single sign-on Web applications by using XMLHTTP after you apply Internet Explorer Security Update MS04-004 =

Article ID: 836640

Article Last Modified on 11/29/2007

-

APPLIES TO


 * Microsoft XML Parser 2.5
 * Microsoft XML Parser 2.6
 * Microsoft XML Parser 3.0
 * Microsoft XML Core Services 4.0

-



SUMMARY
The Microsoft Internet Explorer Security Update MS04-004 breaks Microsoft Outlook Web Access (OWA) and single sign-on Web applications. Single sign-on is when you use a Web server to forward credentials to another Web server, or when you use basic authentication to password-protect content that is running on multiple Web servers. These applications include larger portal applications that host Outlook Web Access. Many of these portal applications capture and pass user credentials to the Outlook Web Access server.



SYMPTOMS
When you use OWA and single sign-on Web applications after you apply the Internet Explorer Security Update MS04-004, the applications no longer work as you expect. You must authenticate (that is, type a user name and a password) when you establish a connection to a new Web server.



CAUSE
The Internet Explorer security update that is described in the following Microsoft Knowledge Base article bans URLs with embedded user credentials:

832894 MS04-004: Cumulative security update for Internet Explorer



RESOLUTION
Apply the Microsoft XML (MSXML) XMLHTTP fix that is described in the following Microsoft Knowledge Base article, and execute HTTP requests by passing the user credentials as parameters to the Open call when you access OWA and single sign-on Web applications. Do not embed user credentials in the target URLs of the HTTP requests. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

832414 XMLHTTP call fails for URLs with embedded user credentials



STATUS
Microsoft has confirmed that you cannot pass user credentials that are embedded in the URL. However, you can pass user credentials as parameters in the Open method call.



MORE INFORMATION
The Internet Explorer Security Update MS04-004 breaks applications that use URL Moniker Services (UrlMon) to execute HTTP requests that are targeted at URLs with embedded user credentials. The MSXML XMLHTTP component is a wrapper over UrlMon and has been enhanced to enforce this restriction. This restriction breaks current applications that use the XMLHTTP component to access OWA and single sign-on Web applications by specifying URLs with embedded user credentials.

With this XMLHTTP component restriction, you cannot pass user credentials in a call to the Open method of the XMLHTTP component. This implies that you might experience this problem even after you modify your code so that you do not have user credentials embedded in the URL, and after you have instead passed the user credentials as user id and password parameters in the call to the Open method. However, Microsoft has released a fix for the XMLHTTP component so that you can pass user credentials in the call to the Open method of the XMLHTTP component without embedding them in the URL. For additional information, see the Resolution section of this article.

The following sample HTML code demonstrates the XMLHTTP.Open method: 

 Single Sign-on



Dim oXMLHTTP

Sub cmdGet_OnClick strURL = document.all.URL.Value strUser = document.all.USER.Value strPW = document.all.PW.Value Set oXMLHTTP = CreateObject(&quot;microsoft.xmlhttp&quot;) oXMLHTTP.Open &quot;HEAD&quot;, strURL, True, strUser, strPW oXMLHTTP.onreadystatechange = getRef(&quot;XMLHTTPStateChange&quot;) oXMLHTTP.send (&quot;&quot;) End Sub

Sub XMLHTTPStateChange

strURL = document.all.URL.Value

if (oXMLHTTP.readystate <> 4) then exit sub end if

open(strURL) End Sub



 Single Sign-on (sample) URL: <INPUT id=&quot;URL&quot; type=&quot;text&quot; size=&quot;50&quot; name=&quot;text1&quot;></P> <P class=&quot;enterUser&quot;>USER: <INPUT id=&quot;USER&quot; type=&quot;text&quot; size=&quot;30&quot; name=&quot;text2&quot;></P> <P class=&quot;enterPW&quot;>PASSWORD: <INPUT id=&quot;PW&quot; type=&quot;password&quot; size=&quot;20&quot; name=&quot;text3&quot;></P> <P class=&quot;General&quot;><INPUT id=&quot;Button1&quot; type=&quot;button&quot; value=&quot;Go&quot; name=&quot;cmdGet&quot;> </P> </BODY>

</HTML>

<div class="references_section">