Re: Using NetworkCredential then a Redirect to the site requiring the credientails

From: Eric Lawrence [MSFT] (e_lawrence_at_hotmail.com)
Date: 03/06/04 

Date: Fri, 5 Mar 2004 22:40:49 -0800

> Ever since the latest patch for IE 6 it is impossible to pass the
> username and password to Exchange 2000 (or any site) in the url (i.e.
> http://username:password@exchangeserver.mydomain.com) ... so I've possibly
> came up with a solution (which I'm sure is thought of and implemented
> already) Please review my strategy and offer any suggestions / solutions:

Hopefully, the setup wasn't ~really~ broadcasting your unencrypted username
and password to the world at large without any protection?

> - I was hoping that somehow, with a combination of a WebRequest /
> NetworkCredential I could log the user in behind the scenes and redirect
> them to the proper location to the OWA inbox for the particular user
without
> needing to log them in twice.

I don't think this will work. Arguably, if you wanted to get really fancy,
you could create a C# Proxy which passed all requests and responses between
the client and the server and added the authentication information to the
headers on every transaction-- but this would get insanely complicated and
would be very fragile.

If you'd like to reverse the effects of this security update, there's a
well-documented registry key to turn it off. However, I must caution you
that the approaches you've described are very much vulnerable to even the
most inept of hackers.

Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages