Microsoft KB Archive/819127

= User Credentials Are Transmitted in Clear Text When You Access an SSL Outlook Web Access Server by Using HTTP Protocol =

Article ID: 819127

Article Last Modified on 6/11/2003

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-





SYMPTOMS
User credentials are not encrypted when they are transmitted. This symptom occurs you configure a Microsoft Outlook Web Access (OWA) Web publishing rule by using the functionality that is provided by Internet Security and Acceleration (ISA) Server 2000 Feature Pack 1, and you use the following configuration:
 * You click to select the Enable SSL. Clients must use SSL to connect to the ISA Server check box in the publishing rule.

-and-
 * You configure one of the following settings:
 * You apply the OWA publishing rule to specific users or groups. To do this, you open the rule properties, click the Applies To tab, click Users and groups specified below, and then add users or groups.

-or-
 * You configure the Incoming Web requests listener to ask unauthenticated users for identification. To do this, you open the server properties, click the Incoming Web Requests tab, and then click to select the Ask unauthenticated users for identification check box.

An external client who tries to access the OWA server by using the HTTP protocol is prompted to submit their credentials, but the user credentials are not encrypted when they are transmitted. In this case, you expect the user to be denied access when the client computer tries to access the OWA server by using the HTTP protocol because the user cannot submit their credentials unless they access the site by using Secure Hypertext Transfer Protocol (HTTPS).



CAUSE
This issue occurs because the ISA Server 2000 rules engine processes User Authentication rules before it processes the Secure Sockets Layer (SSL) requirement rules. When SSL is required, ISA Server permits a non-SSL connection and prompts the user for their credentials to process the User Authentication rules that are in place. After this, the request is processed by using other rules that are in place, such as SSL requirement rules.



WORKAROUND
To work around this issue, configure ISA Server pass-through authentication for incoming Web requests. In this workaround procedure, the internal Web server performs user authentication instead of the ISA Server computer. To perform this workaround, configure the ISA Server computer so that it does not perform validation of incoming user requests.



MORE INFORMATION
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313072 HOW TO: Configure the Web Publishing Service to Work with Internet Security and Acceleration Server in Windows 2000

300435 HOW TO: Publish Multiple Web Sites by Using ISA Server in Windows 2000

Additional query words: unencrypted plain text basic authentication FP1 OWA 403 Forbidden 12211 Internet Security and Acceleration Server

Keywords: kbbug kbprb KB819127

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.