You cannot access Outlook Web Access and single sign-on Web applications by using XMLHTTP after you apply Internet Explorer Security Update MS04-004 (836640)


The information in this article applies to:

  • Microsoft XML 2.5
  • Microsoft XML 2.6
  • Microsoft XML 3.0
  • Microsoft XML 4.0

SUMMARY

The Microsoft Internet Explorer Security Update MS04-004 breaks Microsoft Outlook Web Access (OWA) and single sign-on Web applications. Single sign-on is when you use a Web server to forward credentials to another Web server, or when you use basic authentication to password-protect content that is running on multiple Web servers. These applications include larger portal applications that host Outlook Web Access. Many of these portal applications capture and pass user credentials to the Outlook Web Access server.

SYMPTOMS

When you use OWA and single sign-on Web applications after you apply the Internet Explorer Security Update MS04-004, the applications no longer work as you expect. You must authenticate (that is, type a user name and a password) when you establish a connection to a new Web server.

CAUSE

The Internet Explorer security update that is described in the following Microsoft Knowledge Base article bans URLs with embedded user credentials:

832894 MS04-004: Cumulative security update for Internet Explorer

RESOLUTION

Apply the Microsoft XML (MSXML) XMLHTTP fix that is described in the following Microsoft Knowledge Base article, and execute HTTP requests by passing the user credentials as parameters to the Open() call when you access OWA and single sign-on Web applications. Do not embed user credentials in the target URLs of the HTTP requests. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

832414 XMLHTTP call fails for URLs with embedded user credentials

STATUS

Microsoft has confirmed that you cannot pass user credentials that are embedded in the URL. However, you can pass user credentials as parameters in the Open() method call.

MORE INFORMATION

The Internet Explorer Security Update MS04-004 breaks applications that use URL Moniker Services (UrlMon) to execute HTTP requests that are targeted at URLs with embedded user credentials. The MSXML XMLHTTP component is a wrapper over UrlMon and has been enhanced to enforce this restriction. This restriction breaks current applications that use the XMLHTTP component to access OWA and single sign-on Web applications by specifying URLs with embedded user credentials.

With this XMLHTTP component restriction, you cannot pass user credentials in a call to the Open() method of the XMLHTTP component. This implies that you might experience this problem even after you modify your code so that you do not have user credentials embedded in the URL, and after you have instead passed the user credentials as user id and password parameters in the call to the Open() method. However, Microsoft has released a fix for the XMLHTTP component so that you can pass user credentials in the call to the Open() method of the XMLHTTP component without embedding them in the URL. For additional information, see the Resolution section of this article.

The following sample HTML code demonstrates the XMLHTTP.Open method:
<HTML>

            <HEAD>
            <TITLE>Single Sign-on</TITLE>

        <script language="vbscript">

            Dim oXMLHTTP

            Sub cmdGet_OnClick()
                        strURL = document.all.URL.Value
                        strUser = document.all.USER.Value
                        strPW = document.all.PW.Value
                        Set oXMLHTTP = CreateObject("microsoft.xmlhttp")
                        oXMLHTTP.Open "HEAD", strURL, True, strUser, strPW
                        oXMLHTTP.onreadystatechange = getRef("XMLHTTPStateChange")
                        oXMLHTTP.send ("")
            End Sub

            Sub XMLHTTPStateChange

                        strURL = document.all.URL.Value

                        if (oXMLHTTP.readystate <> 4) then
                                    exit sub
                        end if

                        open(strURL)
            End Sub

	      </script>
	      </HEAD> 

 

            <BODY>
                        <H1>Single Sign-on (sample)</H1>
                        <P class="enterURL">URL: <INPUT id="URL" type="text" size="50" name="text1"></P>
                        <P class="enterUser">USER: <INPUT id="USER" type="text" size="30" name="text2"></P>
                        <P class="enterPW">PASSWORD: <INPUT id="PW" type="password" size="20" name="text3"></P>
                        <P class="General"><INPUT id="Button1" type="button" value="Go" name="cmdGet"> </P>
            </BODY>

</HTML>

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

834489 A security update is available that modifies the default behavior of Internet Explorer for handling user information in HTTP and in HTTPS URLs

269238 INFO: Version list of the Microsoft XML parser

Modification Type:MajorLast Reviewed:9/29/2005
Keywords:kbprb KB836640 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.