Solutions

Outlook emails with embedded images are prompting Windows XP SP2 or SP3 users to authenticate

Solutions ID:    KB1034
Version:    8.0
Status:    Published
Published date:    03/02/2009
Updated:    04/20/2010
 

Problem Description

The ProxySG is configured with seamless authentication, such as IWA or NTLM authentication.
The authentication prompting does not occur for workstations that are running Windows XP SP1.
The authentication prompting only occurs with Windows XP SP2 workstations and newer.
After upgrading to Windows XP SP2 or XP SP3, you receive an authentication prompt for Outlook emails
In Windows XP SP2 or XP SP3, users get an authentication prompt for Outlook emails with embedded images but are unable to view the content.

Resolution

If you are experiencing this problem, you are likely using cookie-based transparent authentication with IWA or NTLM (single sign-on).  With the XP SP2 release and SP3, Microsoft implemented several security measures into both Outlook and Internet Explorer (IE) to protect against multiple attack vectors, the largest being email spoofing.

First, Outlook has just ONE zone - Restricted.  In this zone, you will always be prompted for credentials to mitigate email spoofing and other attacks.

Second, Windows XP SP2 implements two additional security measures for Outlook:

  1. HTTP Cookies are no longer sent for image downloads.
  2. HTTP Credentials are no longer sent for image downloads.

The workarounds for this situation are as follows:

Migrate to an explicit proxy deployment instead of a transparent proxy deployment

This issue is specific to transparent environments since the browser does not want to provide credentials upstream.  If an explicit proxy is configured, it will provide credentials to the proxy.

Use IP-based authentication instead of cookie-based authentication on the proxy

The caveat to this solution is if multiple people are using the same workstation, a second user logging into the machine could "piggy-back" on the previous user's credentials.  Using IP-based authentication is not recommended unless the cache-credential timeout (TTL) is very small.

To make the TTL change, go to the Management Console > Configuration tab > Authentication > Transparent Proxy.  There you can select the IP-based method and set an appropriate TTL.  For any VPM policy that has been configured, you will need to locate and modify the authentication rule in the Authentication Layer.  In the Authenticate column, right click and select "Edit".  From the mode pull-down field, select "Origin IP Redirect".

If you have a Citrix Metaframe or Windows Terminal Server environment where multiple users logon to the same server, using IP-based authentication will not work.  One possible workaround is to not authenticate any users coming from a terminal server.  Or you can set very restrictive policies for your terminal servers and not require authentication.

Contact Microsoft for the hotfix that allows you to edit the registry to allow the passing of cookies and credentials

Microsoft has a hotfix available that will allow Outlook HTML emails to behave as they did prior to upgrading to Windows XP SP2.  Be aware, however, that loading this hotfix removes the two security measures described previously that were implemented in XP SP2.  Please call Microsoft at 1-800-936-4900 and request HotFix 895948.  You may also reference Blue Coat's case with them:  SRX050221602713.

Bypassing authentication for Outlook 2007 user agent

In previous versions of Microsoft Outlook, the Outlook agent used Internet Explorer's user agent for making HTTP requests.  Starting with Microsoft Outlook 2007, Outlook now has its own user agent.  You can write policy in your visual policy manager (VPM) to bypass authentication for the Outlook 2007 user agent.  Please do the following steps:

  1. Login to the ProxySG's Management Console and go to the Configuration tab > Policy > Visual Policy Manager > Launch
  2. In the web authentication layer, click on "Add Rule".  Put your cursor in the source field, right click and select  "Set" > "New..." > "Request Header...".   Give it an appropriate name, such as "OutlookClient".  For the "Header Name:", select "User-Agent".  For "Header Regex:", type in "outlook".  Click on the OK button twice so that "OutlookClient" becomes your source.  For the Action, right click and select "Set", and then select "Do Not Authenticate".  Click the OK button twice.  (NOTE:  Rule placement here is important.  You may want to move this rule to the top of your web authentication layer so this gets hit.)
  3. Click on the web access layer.  Create a new rule.  For the "Source", use the same source you specified in step 2 above.  For "Destination", you can set restrictions, such as allowed sites or categories.  For "Action", right click and select "Allow".  Once you are satisfied with your new rules, click on "Install Policy".

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question