Re: Authentication Security Problem WSS and OWA - Possible Bug?
- From: David Wang <w3.4you@xxxxxxxxx>
- Date: Wed, 9 Jan 2008 12:38:30 -0800 (PST)
The problem is with the 3rd party custom authentication code that you
are using on top of WSS and OWA, so you should contact the support
personnel for that 3rd party code for a resolution.
It looks like the custom authentication code multiplexes multiple
logical users of its control over the generic "fake" Exchange user and
generic non-WSS Windows user login -- so the custom authentication
code is responsible for the lifetime of its users and non-cacheability
of its custom authentication.
Clearly, you have exposed a security problem with the 3rd party custom
authentication protocol, so you should contact them for support.
This would not happen if you have distinct Windows user accounts, but
you say that is not allowed in your environment, so your only choice
is to get the custom authentication protocol fixed by its provider.
If the code is written by Microsoft PSS, then you should contact them
for support. If the code is based on some other sample code, then you
are responsible for figuring out your bug. If the code is purchased
from someone else, then that someone else should be contacted for
support.
On Jan 9, 10:53 am, TomT <T...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
If it was only that simple...the environment does not allow this.
"Ken Schaefer" wrote:
Maybe some has checked the "remember password" box in IE?
Give you users separate Windows user accounts. That's what the functionality
exists for.
Cheers
Ken
"TomT" <T...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7871CAE9-A30E-4A50-9171-2D641E1FB03F@xxxxxxxxxxxxxxxx
Windows Server 2003 being connected to through Windows VPN using RMA.
Shared
remote Panasonic ToughBooks running XPP. generic Windows logon, VPN uses
shared non-wss or exchange fake user, and once logged on users enter their
user/password in IE logon window.
The problem is that one or two users cannot be logged out and even after
restarting the machine will authenticate through both WSS and OWA. Big
problem when others have access to email and WSS records. Any help
appreciated.- Hide quoted text -
- Show quoted text -
.
- References:
- Re: Authentication Security Problem WSS and OWA - Possible Bug?
- From: Ken Schaefer
- Re: Authentication Security Problem WSS and OWA - Possible Bug?
- Prev by Date: URLScan
- Next by Date: Re: URLScan
- Previous by thread: Re: Authentication Security Problem WSS and OWA - Possible Bug?
- Next by thread: Re: Authentication Security Problem WSS and OWA - Possible Bug?
- Index(es):
