Authentication Security Problem WSS and OWA - Possible Bug?

Windows Server 2003 being connected to through Windows VPN using RMA. Shared
remote Panasonic ToughBooks running XPP. generic Windows logon, VPN uses
shared non-wss or exchange fake user, and once logged on users enter their
user/password in IE logon window.

The problem is that one or two users cannot be logged out and even after
restarting the machine will authenticate through both WSS and OWA. Big
problem when others have access to email and WSS records. Any help
appreciated.

Re: Authentication Security Problem WSS and OWA - Possible Bug?

Maybe some has checked the "remember password" box in IE?

Give you users separate Windows user accounts. That's what the functionality
exists for.

Cheers
Ken

"TomT" wrote in message
news:7871CAE9-A30E-4A50-9171-2D641E1FB03F@microsoft.com...
> Windows Server 2003 being connected to through Windows VPN using RMA.
> Shared
> remote Panasonic ToughBooks running XPP. generic Windows logon, VPN uses
> shared non-wss or exchange fake user, and once logged on users enter their
> user/password in IE logon window.
>
> The problem is that one or two users cannot be logged out and even after
> restarting the machine will authenticate through both WSS and OWA. Big
> problem when others have access to email and WSS records. Any help
> appreciated.

Re: Authentication Security Problem WSS and OWA - Possible Bug?

On Jan 8, 7:42=A0pm, TomT wrote:
> Windows Server 2003 being connected to through Windows VPN using RMA. =A0S=
hared
> remote Panasonic ToughBooks running XPP. =A0generic Windows logon, VPN use=
s
> shared non-wss or exchange fake user, and once logged on users enter their=

> user/password in IE logon window.
>
> The problem is that one or two users cannot be logged out and even after
> restarting the machine will authenticate through both WSS and OWA. =A0Big
> problem when others have access to email and WSS records. =A0Any help
> appreciated.


It sounds like you are trying to multiplex multiple users on top of a
single Windows user and implemented a proprietary "log out"
functionality which is failing. You need to detail exactly what you
mean by "log out" because right now this looks like a security issue
with your customization of WSS and OWA.

Or use Integrated Authentication which does not have this problem.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Authentication Security Problem WSS and OWA - Possible Bug?

If it was only that simple...the environment does not allow this.

"Ken Schaefer" wrote:

> Maybe some has checked the "remember password" box in IE?
>
> Give you users separate Windows user accounts. That's what the functionality
> exists for.
>
> Cheers
> Ken
>
> "TomT" wrote in message
> news:7871CAE9-A30E-4A50-9171-2D641E1FB03F@microsoft.com...
> > Windows Server 2003 being connected to through Windows VPN using RMA.
> > Shared
> > remote Panasonic ToughBooks running XPP. generic Windows logon, VPN uses
> > shared non-wss or exchange fake user, and once logged on users enter their
> > user/password in IE logon window.
> >
> > The problem is that one or two users cannot be logged out and even after
> > restarting the machine will authenticate through both WSS and OWA. Big
> > problem when others have access to email and WSS records. Any help
> > appreciated.
>
>

Re: Authentication Security Problem WSS and OWA - Possible Bug?

The problem is with the 3rd party custom authentication code that you
are using on top of WSS and OWA, so you should contact the support
personnel for that 3rd party code for a resolution.

It looks like the custom authentication code multiplexes multiple
logical users of its control over the generic "fake" Exchange user and
generic non-WSS Windows user login -- so the custom authentication
code is responsible for the lifetime of its users and non-cacheability
of its custom authentication.

Clearly, you have exposed a security problem with the 3rd party custom
authentication protocol, so you should contact them for support.

This would not happen if you have distinct Windows user accounts, but
you say that is not allowed in your environment, so your only choice
is to get the custom authentication protocol fixed by its provider.

If the code is written by Microsoft PSS, then you should contact them
for support. If the code is based on some other sample code, then you
are responsible for figuring out your bug. If the code is purchased
from someone else, then that someone else should be contacted for
support.







On Jan 9, 10:53=A0am, TomT wrote:
> If it was only that simple...the environment does not allow this.
>
>
>
> "Ken Schaefer" wrote:
> > Maybe some has checked the "remember password" box in IE?
>
> > Give you users separate Windows user accounts. That's what the functiona=
lity
> > exists for.
>
> > Cheers
> > Ken
>
> > "TomT" wrote in message
> >news:7871CAE9-A30E-4A50-9171-2D641E1FB03F@microsoft.com...
> > > Windows Server 2003 being connected to through Windows VPN using RMA.
> > > Shared
> > > remote Panasonic ToughBooks running XPP. =A0generic Windows logon, VPN=
uses
> > > shared non-wss or exchange fake user, and once logged on users enter t=
heir
> > > user/password in IE logon window.
>
> > > The problem is that one or two users cannot be logged out and even aft=
er
> > > restarting the machine will authenticate through both WSS and OWA. =A0=
Big
> > > problem when others have access to email and WSS records. =A0Any help
> > > appreciated.- Hide quoted text -
>
> - Show quoted text -