Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
4
Replies

Outlook HTML messages

jhouck99_ironport
Level 1
Level 1

‎03-20-2008 10:47 PM

We have transparent authentication through AD set up, and it's working fine for IE and Firefox, but it still prompts in email with linked images.

What would be the best way to fix this problem?

Labels:
0 Helpful
4 Replies 4

jowolfer
Level 1
Level 1

‎03-21-2008 05:20 PM

jhouck99,

Here is some data regarding this issue:

In Windows XP SP2 and above (not sure if this applies to Vista), Microsoft implemented stricter security policies on sending credentials and cookies via Outlook when it is accessing an email that contains linked content / images.

This causes each object / image in the email to require manual authentication. Each object will prompted for, making it cumbersome to read emails with many linked objects.

There is a hot fix provided to 'fix' this issue. The KB article linked to the hotfix is 895948. This article is PRIVATE and thus cannot be found by searching the Microsoft website.

In order to get this hotfix, you will need to contact Microsoft at 1-800-936-4900. You can reference IronPort case number SRX070910600725

IronPort does not have any knowledge in automatically deploying this hotfix to the clients on the network. It is possible that a NETLOGON batch file could be used to implement this. The hotfix contains several files that need to overwrite local Outlook files as well as a registry key to change.

WORKAROUNDS:

Microsoft's official workaround is to only use email where the images are embedded into the email, not linked.

IP credential cache can be used instead of Cookie. This would allow the WSA to only need to authenticate the client once from their IP within the credential cache timeout. Please note that unless they authenticate with IE first, they will still be prompted for auth the first time they access an object via Outlook.

0 Helpful

jhouck99_ironport
Level 1
Level 1

‎03-25-2008 05:22 PM

The hotfix didn't seem to help on the one machine I tested on (I asked for someone else to try as well, but he was in a meeting). So I tried the workaround, which seems to be working.

Thanks...

0 Helpful

jowolfer
Level 1
Level 1

‎03-26-2008 04:06 PM

jhouck99,

That's odd. That information is straight from the horses mouth =). I've applied that patch in the past and was successful.

Let me know if we can assist in any other way.

It's possible that we may be able to workaround this issue when the "bypass auth based on user-agent" option is available, but I don't believe Outlook uses a special user-agent.

0 Helpful

jhouck99_ironport
Level 1
Level 1

‎05-12-2008 03:08 PM

We had been using the workaround for the past couple of months, but had one person for whom the workaround seemed to stop working. I applied the hotfix and now it's good.

Very weird...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents