Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 836640 - Last Review: November 29, 2007 - Revision: 2.1
You cannot access Outlook Web Access and single sign-on Web applications by using XMLHTTP after you apply Internet Explorer Security Update MS04-004
SUMMARY
The Microsoft Internet Explorer Security Update MS04-004 breaks Microsoft Outlook Web Access (OWA) and single sign-on Web applications. Single sign-on is when you use a Web server to forward credentials to another Web server, or when you use basic authentication to password-protect content that is running on multiple Web servers. These applications include larger portal applications that host Outlook Web Access. Many of these portal applications capture and pass user credentials to the Outlook Web Access server.
SYMPTOMS
When you use OWA and single sign-on Web applications after you apply the Internet Explorer Security Update MS04-004,
the applications no longer work as you expect. You must authenticate
(that is, type a user name and a password) when you establish a connection to
a new Web server.
CAUSE
The Internet Explorer security update that is
described in the following Microsoft Knowledge Base article bans URLs with
embedded user credentials:
832894Â
(http://kbalertz.com/Feedback.aspx?kbNumber=832894/
)
MS04-004: Cumulative security update for Internet Explorer
RESOLUTION
Apply the Microsoft XML (MSXML) XMLHTTP fix that is described in the following Microsoft Knowledge Base article, and execute HTTP requests by passing the user credentials as
parameters to the
Open() call when you access OWA and single sign-on Web
applications. Do not embed user credentials in the target URLs of the
HTTP requests.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
832414Â
(http://kbalertz.com/Feedback.aspx?kbNumber=832414/
)
XMLHTTP call fails for URLs with embedded user credentials
STATUS
Microsoft has confirmed that you cannot pass user credentials that are embedded in the URL. However, you can pass user
credentials as parameters in the
Open() method call.
MORE INFORMATION
The Internet Explorer Security Update MS04-004 breaks applications that
use URL Moniker Services (UrlMon) to execute HTTP requests that are targeted at URLs with embedded user
credentials. The MSXML XMLHTTP component is a wrapper over UrlMon and has been enhanced to enforce this restriction. This restriction breaks current
applications that use the XMLHTTP component to access OWA and single sign-on Web
applications by specifying URLs with embedded user credentials.
With this XMLHTTP component restriction, you cannot pass user credentials in a call to the
Open() method of the XMLHTTP
component. This implies that
you might experience this problem even after you modify your code so that you do not have user credentials embedded in the URL, and after you have instead passed the user credentials as
user id and
password
parameters in the call to the
Open() method. However, Microsoft has released a fix for the XMLHTTP component so that you can pass user credentials in the call to the
Open() method of the
XMLHTTP component without embedding them in the URL. For additional information, see the Resolution section of this article.
The following
sample HTML code demonstrates the
XMLHTTP.Open method:
<HTML>
<HEAD>
<TITLE>Single Sign-on</TITLE>
<script language="vbscript">
Dim oXMLHTTP
Sub cmdGet_OnClick()
strURL = document.all.URL.Value
strUser = document.all.USER.Value
strPW = document.all.PW.Value
Set oXMLHTTP = CreateObject("microsoft.xmlhttp")
oXMLHTTP.Open "HEAD", strURL, True, strUser, strPW
oXMLHTTP.onreadystatechange = getRef("XMLHTTPStateChange")
oXMLHTTP.send ("")
End Sub
Sub XMLHTTPStateChange
strURL = document.all.URL.Value
if (oXMLHTTP.readystate <> 4) then
exit sub
end if
open(strURL)
End Sub
</script>
</HEAD>
<BODY>
<H1>Single Sign-on (sample)</H1>
<P class="enterURL">URL: <INPUT id="URL" type="text" size="50" name="text1"></P>
<P class="enterUser">USER: <INPUT id="USER" type="text" size="30" name="text2"></P>
<P class="enterPW">PASSWORD: <INPUT id="PW" type="password" size="20" name="text3"></P>
<P class="General"><INPUT id="Button1" type="button" value="Go" name="cmdGet"> </P>
</BODY>
</HTML>REFERENCES
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
834489 Â
(http://kbalertz.com/Feedback.aspx?kbNumber=834489/
)
Internet Explorer does not support user names and passwords in Web site addresses (HTTP or HTTPS URLs)
269238 Â
(http://kbalertz.com/Feedback.aspx?kbNumber=269238/
)
INFO: Version list of the Microsoft XML parser
APPLIES TO
- Microsoft XML Parser 2.5
- Microsoft XML Parser 2.6
- Microsoft XML Parser 3.0
- Microsoft XML Core Services 4.0
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please