Microsoft KB Archive/836640

From BetaArchive Wiki
Knowledge Base


You cannot access Outlook Web Access and single sign-on Web applications by using XMLHTTP after you apply Internet Explorer Security Update MS04-004

Article ID: 836640

Article Last Modified on 11/29/2007



APPLIES TO

  • Microsoft XML Parser 2.5
  • Microsoft XML Parser 2.6
  • Microsoft XML Parser 3.0
  • Microsoft XML Core Services 4.0



SUMMARY

The Microsoft Internet Explorer Security Update MS04-004 breaks Microsoft Outlook Web Access (OWA) and single sign-on Web applications. Single sign-on is when you use a Web server to forward credentials to another Web server, or when you use basic authentication to password-protect content that is running on multiple Web servers. These applications include larger portal applications that host Outlook Web Access. Many of these portal applications capture and pass user credentials to the Outlook Web Access server.

SYMPTOMS

When you use OWA and single sign-on Web applications after you apply the Internet Explorer Security Update MS04-004, the applications no longer work as you expect. You must authenticate (that is, type a user name and a password) when you establish a connection to a new Web server.

CAUSE

The Internet Explorer security update that is described in the following Microsoft Knowledge Base article bans URLs with embedded user credentials:

832894 MS04-004: Cumulative security update for Internet Explorer


RESOLUTION

Apply the Microsoft XML (MSXML) XMLHTTP fix that is described in the following Microsoft Knowledge Base article, and execute HTTP requests by passing the user credentials as parameters to the Open() call when you access OWA and single sign-on Web applications. Do not embed user credentials in the target URLs of the HTTP requests. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

832414 XMLHTTP call fails for URLs with embedded user credentials


STATUS

Microsoft has confirmed that you cannot pass user credentials that are embedded in the URL. However, you can pass user credentials as parameters in the Open() method call.

MORE INFORMATION

The Internet Explorer Security Update MS04-004 breaks applications that use URL Moniker Services (UrlMon) to execute HTTP requests that are targeted at URLs with embedded user credentials. The MSXML XMLHTTP component is a wrapper over UrlMon and has been enhanced to enforce this restriction. This restriction breaks current applications that use the XMLHTTP component to access OWA and single sign-on Web applications by specifying URLs with embedded user credentials.

With this XMLHTTP component restriction, you cannot pass user credentials in a call to the Open() method of the XMLHTTP component. This implies that you might experience this problem even after you modify your code so that you do not have user credentials embedded in the URL, and after you have instead passed the user credentials as user id and password parameters in the call to the Open() method. However, Microsoft has released a fix for the XMLHTTP component so that you can pass user credentials in the call to the Open() method of the XMLHTTP component without embedding them in the URL. For additional information, see the Resolution section of this article.

The following sample HTML code demonstrates the XMLHTTP.Open method:

<HTML>

            <HEAD>
            <TITLE>Single Sign-on</TITLE>

        <script language="vbscript">

            Dim oXMLHTTP

            Sub cmdGet_OnClick()
                        strURL = document.all.URL.Value
                        strUser = document.all.USER.Value
                        strPW = document.all.PW.Value
                        Set oXMLHTTP = CreateObject("microsoft.xmlhttp")
                        oXMLHTTP.Open "HEAD", strURL, True, strUser, strPW
                        oXMLHTTP.onreadystatechange = getRef("XMLHTTPStateChange")
                        oXMLHTTP.send ("")
            End Sub

            Sub XMLHTTPStateChange

                        strURL = document.all.URL.Value

                        if (oXMLHTTP.readystate <> 4) then
                                    exit sub
                        end if

                        open(strURL)
            End Sub

          </script>
          </HEAD> 

 

            <BODY>
                        <H1>Single Sign-on (sample)</H1>
                        <P class="enterURL">URL: <INPUT id="URL" type="text" size="50" name="text1"></P>
                        <P class="enterUser">USER: <INPUT id="USER" type="text" size="30" name="text2"></P>
                        <P class="enterPW">PASSWORD: <INPUT id="PW" type="password" size="20" name="text3"></P>
                        <P class="General"><INPUT id="Button1" type="button" value="Go" name="cmdGet"> </P>
            </BODY>

</HTML>

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

834489 Internet Explorer does not support user names and passwords in Web site addresses (HTTP or HTTPS URLs)


269238 INFO: Version list of the Microsoft XML parser



Additional query words: OWA MSXML XMLHTTP

Keywords: kbprb KB836640