Outlook 2003 on Windows XP running Service Pack 2 fails to transparently authenticate
When users run Microsoft Windows XP, with Service Pack 2 as well as Outlook 2003, they are prompted to authenticate when accessing an email containing external links or images.
This issue only impacts users in transparent proxy deployments using IWA authentication against Windows AD. Explicit proxy deployments do not experience this issue.
There have been several patches released in Service Pack 2 that prevent Outlook from sending a user's NTLM credentials when accessing external links or images. In transparent proxy deployments, (where the proxy is either inline, or user requests are sent to the proxy via WCCP or Layer4 redirect) using IWA authentication against a Windows AD environment, the proxy needs the user's client (Outlook in this case) to send their credentials with requests. The security patches mentioned restrict Outlook's ability to do this.
However, if you are unable to manage an upgrade to your client workstations and need a workaround for this issue, you can employ one of the following tactics:
- Starting with Outlook 2010, the requests are sent with a user-agent string that contains the word 'Outlook'. You can configure a rule on a Web Authentication layer in the ProxySG policy to bypass authentication for requests with a user-agent containing "Outlook" (without the quotes). For help with the steps on setting such policy, see KB3340 and refer to the steps for "Bypassing authentication when the user-agent is not predefined (in VPM)". Additionally, if you have a default policy of DENY or are otherwise blocking unauthenticated users, you may also need to create a rule allow the 'Outlook' user-agent in the same manner but on a Web Access Layer.
- Configure origin-IP-redirect as the authentication mode for your transparent proxy authentication. Using this method, users will need to open a web browser to be authenticated before accessing Email within Outlook 2003 that contains externally-sourced data. This authentication method retains a 'surrogate' on the proxy, (IP) that is used for the duration of the surrogate refresh time as set in the ProxySG management console under Authentication > IWA > IWA General.
- Using explicit proxy is another possible workaround.
Because this is a client-based issue, Blue Coat strongly recommends that this issue is addressed at the client level.
First, Windows XP Hotfix 895948 must be installed on the client's workstation. This hotfix is no longer available from Microsoft's support site, as it is included with Windows XP Service Pack 3. Once the hotfix is installed, a registry edit is required. Please contact Microsoft support at +1-800-936-4900 and request assistance with HotFix 895948 to apply the registry modifications.
Rate this Page
Please take a moment to complete this form to help us better serve you.