Outlook emails with embedded images are prompting Windows XP SP2 or SP3 users to authenticate
The ProxySG is configured with seamless authentication, such as IWA or NTLM authentication.
If you are experiencing this problem, you are likely using cookie-based transparent authentication with IWA or NTLM (single sign-on). With the XP SP2 release and SP3, Microsoft implemented several security measures into both Outlook and Internet Explorer (IE) to protect against multiple attack vectors, the largest being email spoofing.
First, Outlook has just ONE zone - Restricted. In this zone, you will always be prompted for credentials to mitigate email spoofing and other attacks.
Second, Windows XP SP2 implements two additional security measures for Outlook:
The workarounds for this situation are as follows:
Migrate to an explicit proxy deployment instead of a transparent proxy deployment
This issue is specific to transparent environments since the browser does not want to provide credentials upstream. If an explicit proxy is configured, it will provide credentials to the proxy.
Use IP-based authentication instead of cookie-based authentication on the proxy
The caveat to this solution is if multiple people are using the same workstation, a second user logging into the machine could "piggy-back" on the previous user's credentials. Using IP-based authentication is not recommended unless the cache-credential timeout (TTL) is very small.
To make the TTL change, go to the Management Console > Configuration tab > Authentication > Transparent Proxy. There you can select the IP-based method and set an appropriate TTL. For any VPM policy that has been configured, you will need to locate and modify the authentication rule in the Authentication Layer. In the Authenticate column, right click and select "Edit". From the mode pull-down field, select "Origin IP Redirect".
If you have a Citrix Metaframe or Windows Terminal Server environment where multiple users logon to the same server, using IP-based authentication will not work. One possible workaround is to not authenticate any users coming from a terminal server. Or you can set very restrictive policies for your terminal servers and not require authentication.
Contact Microsoft for the hotfix that allows you to edit the registry to allow the passing of cookies and credentials
Microsoft has a hotfix available that will allow Outlook HTML emails to behave as they did prior to upgrading to Windows XP SP2. Be aware, however, that loading this hotfix removes the two security measures described previously that were implemented in XP SP2. Please call Microsoft at 1-800-936-4900 and request HotFix 895948. You may also reference Blue Coat's case with them: SRX050221602713.
Bypassing authentication for Outlook 2007 user agent
In previous versions of Microsoft Outlook, the Outlook agent used Internet Explorer's user agent for making HTTP requests. Starting with Microsoft Outlook 2007, Outlook now has its own user agent. You can write policy in your visual policy manager (VPM) to bypass authentication for the Outlook 2007 user agent. Please do the following steps:
Rate this Page
Please take a moment to complete this form to help us better serve you.