	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.3

Outlook Web Access (OWA) mailbox name on Exchange 2003

Asked by 2030penn in Microsoft IIS Web Server

Tags: OWA, Exchange, Outlook Web Access, IIS

We have Outlook Web Access set up on a Windows 2003 server running Exchange 2003. The default page for the OWA site is OWALogon.asp, which we have customized to show our company logos, instructions for usage, etc. The default page also has two controls: a text box into which the user enters their mailbox name; and an OK button they click after entering their mailbox name. After the user submits the form, they are prompted for their domain credentials. After entering credentials, their mailbox is displayed.

During a recent addition of a user to our domain and testing of this user's OWA access, we noticed that we can enter anything we want into the mailbox name field and as long as the domain credentials are correct, the user is passed into their mailbox. For example, if the user's mailbox name is 'JDoe' and his domain account is 'JohnD', I can enter whatever I want into the mailbox name as long as I log in as JohnD. After I log in, mailbox JDoe is displayed.

In looking at this, we've noticed that the JavaScript in the page, shown below, only checks to ensure that the mailbox name is not blank. If blank, the page reloads. If not blank, the domain credentials dialog box is displayed. In essence, it appears that the mailbox simply isn't required and IIS resolves the username/password to the correct mailbox after the domain credentials are submitted.

Can anyone tell us if:
1) This is normal behavior; ie, the requirement of data entry into the mailbox name serves only as a weak security measure, supposedly to further deter unauthorized access?
2) OWALogon.asp is missing code that checks for a valid mailbox name?
3) We're possible missing a server update or have something configured incorrectly?

Please let us know if further information is required to diagnose the issue. Thanks.

View the Solution FREE for 30 Days

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:

           
           
             <%
mailbox = Request("mailbox")
If mailbox <> "" Then
    Response.Redirect "/Exchange/" & mailbox
Else
%>
 
<HEAD>
<script language="JavaScript">
<!--
function MM_popupMsg(msg) { //v1.0
  alert(msg);
}
//-->
</script>
</HEAD>
 
<BODY onLoad="MM_popupMsg('BOILERPLATE SECURITY WARNING')">
 
<table width="95%" cellspacing="2" cellpadding="2" border="0">
<tr>
<td>
<form action='OWALogon.asp'>
<div align="center">
<IMG src="logos.gif" width="400" height="63"><BR>
</div>
 <H1 align="center"><font face="Arial, Helvetica, sans-serif">Outlook Web Access</font></H1>
<div align="center">
<font face="Arial, Helvetica, sans-serif"><b>Mailbox Name:</b></font>
<input name='mailbox'>
<input type='submit' value='OK'>
</div>
</form>
 
<%
End If
%>

           
         

20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625

Hall of Fame

1. meverest374,341
2. cj_1969318,915
3. tedbilly262,555
4. servoadmin208,063
5. Mestha197,622
6. wolfman...159,464
7. Paranorm...117,690
8. Jones911100,887
9. demazter77,790
10. Chris-Dent72,772
11. Tray89663,136
12. carrzkiss48,425
13. cs97jjm346,680
14. abel46,150
15. zephyr_hex45,308
16. RubalJ41,850
17. Dave_Dietz39,000
18. tigermatt38,725
19. dstewartjr35,858
20. MPECSInc32,497
21. alanhardisty29,700
22. ged32529,250
23. lastlostlast27,643
24. DarthSonic26,075
25. aibusines...25,625

1. meverest1,987,814
2. Dave_Dietz1,618,822
3. tedbilly687,611
4. cj_1969450,186
5. servoadmin291,326
6. Chris-Dent259,654
7. humeniuk244,493
8. Sembee225,808
9. Mestha197,622
10. RubalJ195,728
11. TechSoEasy190,974
12. dnojcd170,736
13. wolfman...166,742
14. Paranorm...157,565
15. harperse155,255
16. DireOrbAnt155,014
17. alimu149,731
18. AndresM142,147
19. Tray896122,917
20. Jones911119,877
21. Silvers5118,933
22. Wadski114,220
23. tigermatt114,101
24. zephyr_hex105,613
25. LeeDerby...100,203

Outlook Web Access (OWA) mailbox name on Exchange 2003

Asked by 2030penn in Microsoft IIS Web Server

Tags: OWA, Exchange, Outlook Web Access, IIS

About this solution