OWA quickview window displays login page with Internet Explorer

  • 3679793
  • 05-Dec-2006
  • 27-Apr-2012

Environment

Novell iChain 2.3
Novell Access Manager 3.0
Microsoft Outlook Web Access (OWA) 2003 Web server
Authentication enabled
Users successfully authenticate
Single sign on to OWA successful
Everything works with Firefox

Situation

OWA quickview window displays login page with Internet Explorer
Cannot view OWA email contents going through iChain or Access Manager with IE
OWA users prompted to authenticate when selecting an email in IE from user's Inbox
Authentication page presented when right clicking an email and selecting OPEN with IE

Resolution

There are two known methods of resolving this problem.
  1. Set the BrowseNewProcess registry setting to NO. This setting is located in"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess". The default (YES) is such that IE will not share cookies between IE sessions but if that value is changed, you will most likely not be asked to reauthenticate when accessing the Web resource from a new browser session, assuming that the idle session timeout has not expired.

  2. Create an additional Protected Resource that does not require authentication for the "/exchweb/*" path. In iChain this is done on the ISO by creating an additional Protected Resource of type Public. In Access Manager this is done by creating a new Protected Resource with no specified authentication Contract.

    Note: As an alternative, it is possible to create a Public Protected Resource for the path:"/exchweb/6.5.7226.0/controls/blank.htm" However, as the second portion of the path relates to the version of OWA, this PR path would likely need to change each time an update is applied to the server.

Additional Information

The reason we need to set this is that the OWA application sends back a page with frames. Looking at the following content, which is part of the response to the following GET request (GET /Exchange/mif/Indbakke/TEST%202.EML?cmd=preview HTTP/1.1):



The security attribute (security="restricted") indicate that the users security settings should be applied to the source file of the frame (="/exchweb/6.5.7226.0/controls/blank.htm). When this was done, in this particular environment, the result was that the actual GET request for this frame did not include the iChain authentication cookie, even though the user has already authenticated to iChain for this domain and path, as shown:

GET /exchweb/6.5.7226.0/controls/blank.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: https://webmail.novell.com/Exchange/mif/ncashell/TEST%202.EML?cmd=preview
Accept-Language: da
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: webmail.novell.com
Connection: Keep-Alive
NovINet: v1.2

There is no IPCZQX01 (iChain authentication) cookie that the previous request in this session had, because the iFrame tag above caused it to behave as an independent session and not inherit the attributes of the other sessions on the box. Setting the above registry attribute would allow us to inherit the session info from open IE browsers.

GET /exchweb/6.5.7226.0/controls/style30.css HTTP/1.1
Accept: */*
Referer: https://webmail.novell.com/Exchange/mif/ncashell/TEST%202.EML?cmd=preview
Accept-Language: da
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: webmail.novell.com
Connection: Keep-Alive
Cookie: IPCZQX01ae4daf26=000000007e481900d31f9931
NovINet: v1.2

Formerly known as TID# 10099030

Feedback service temporarily unavailable. For content questions or problems, please contact Support.