Adding Username and Password to URL for login purposes...
Hello,
Is it possible to send a URL (link) to a user that includes their username and password to allow them to log into the Exchange OWA system without having to manually enter their credentials?
Something like: https://exchange.mycompany.com/exchange/?user=john&password=public
Is it possible to send a URL (link) to a user that includes their username and password to allow them to log into the Exchange OWA system without having to manually enter their credentials?
Something like: https://exchange.mycompany.com/exchange/?user=john&password=public
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
...just trying to be careful with my wording as the member agreement for E-E is clear on hacks...It still works for certain URL types, such as FTP, but MS04-004 removed this "feature" from the http:// and https:// as it was determined to be a security risk. To the best of my knowledge, there is no URL workaround available.
KB834489 is pretty clear on it (http://support.microsoft.com/kb/834489)
MS04-004 - http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
The associated KB for MS04-004 is KB832894, which has a link to the above.
KB834489 is pretty clear on it (http://support.microsoft.com/kb/834489)
MS04-004 - http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
The associated KB for MS04-004 is KB832894, which has a link to the above.
I thought so.
It was being used in phishing attacks to hide the real URL.
Simon.
It was being used in phishing attacks to hide the real URL.
Simon.
ASKER
Hi Guys - well you hit the nail right on the head, actually... I have a few board members who simply cannot be bothered with remembering their passwords - and as such they insist that it is a problem with the system...
My plan was to use Indigo Rose Autoplay Studio to construct a specific application that would launch OWA in a self-contained browser window (I have done this before for other tasks - such as kiosks) but have the URL contain their login credentials... This would be invisible once the executable was published as there is no address bar in the browser window of the application...
Is there any other way to have OWA authenticate a user using scripting?
Iain
My plan was to use Indigo Rose Autoplay Studio to construct a specific application that would launch OWA in a self-contained browser window (I have done this before for other tasks - such as kiosks) but have the URL contain their login credentials... This would be invisible once the executable was published as there is no address bar in the browser window of the application...
Is there any other way to have OWA authenticate a user using scripting?
Iain
ASKER
Ok - I found this - I get an ActiveX warning when I run it but it will work I think...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>AutoLogon</title>
</head>
<body onload="document.logonForm
<FORM action="https://exchange.mycompany.com/exchweb/bin/auth/owaauth.dll" method="POST" name="logonForm">
<INPUT type="hidden" name="destination" value="https://exchange.mycompany.com/exchange" />
<INPUT type="hidden" id="username" name="username" value="john">
<INPUT type="hidden" id="password" name="password" value="public">
</FORM>
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>AutoLogon</title>
</head>
<body onload="document.logonForm
<FORM action="https://exchange.mycompany.com/exchweb/bin/auth/owaauth.dll" method="POST" name="logonForm">
<INPUT type="hidden" name="destination" value="https://exchange.mycompany.com/exchange" />
<INPUT type="hidden" id="username" name="username" value="john">
<INPUT type="hidden" id="password" name="password" value="public">
</FORM>
</body>
</html>
I would recommend against that, even if it is going to be a link on their desktop. However, politics and convenience almost always trump security and common sense.
ASKER
I understand your concern - and appreciate your understanding.
ASKER
I am awarding the points because of the astute reply regarding the politics behind the question.
I forgot to say Thanks.
Thanks for understanding and thanks for the points!
Thanks for understanding and thanks for the points!
Simon.