|
Home > Archive > IIS Server Security > August 2005 > OMA/OWA password masking
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
OMA/OWA password masking
|
|
| DrED_Gasket 2005-08-17, 7:53 am |
| I have noticed that when using a smart phone to connect to Exchange via
Outlook Mobile Access OR Outlook Web Access via HTTPS, that when I enter the
password, it takes about 5 seconds before the entry becomes masked, "********"
Has anyone got any suggestions on what might be causing this and how I
should go about trying to resolve this.
| |
| Miha Pihler [MVP] 2005-08-20, 5:54 pm |
| Hi,
This is a feature of the phone not IIS. The reasoning about this is for you
to see if you press the #5 two times (k) or three times (l) etc.
To change this you will have to talk to your phone manufacturer...
--
Mike
Microsoft MVP - Windows Security
"DrED_Gasket" <DrEDGasket@discussions.microsoft.com> wrote in message
news:7721896C-1B3C-41D4-8FB2-CC1ED93A8AB3@microsoft.com...
>I have noticed that when using a smart phone to connect to Exchange via
> Outlook Mobile Access OR Outlook Web Access via HTTPS, that when I enter
> the
> password, it takes about 5 seconds before the entry becomes masked,
> "********"
>
> Has anyone got any suggestions on what might be causing this and how I
> should go about trying to resolve this.
>
>
| |
| DrED_Gasket 2005-08-21, 5:50 pm |
| I believe that you are indeed incorrect. The password masking feature works
correctly and quickly with other OMA enabled sites and other sites that
require password validation such as HOTMAIL.
I'm looking into whether the performance is related to a certificate chain
being used, instead of a certificate being saved is the issue (along with any
interference by an ISA Server)
ED
"Miha Pihler [MVP]" wrote:
> Hi,
>
> This is a feature of the phone not IIS. The reasoning about this is for you
> to see if you press the #5 two times (k) or three times (l) etc.
> To change this you will have to talk to your phone manufacturer...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "DrED_Gasket" <DrEDGasket@discussions.microsoft.com> wrote in message
> news:7721896C-1B3C-41D4-8FB2-CC1ED93A8AB3@microsoft.com...
>
>
>
| |
| Miha Pihler [MVP] 2005-08-21, 5:50 pm |
| You can always test it with "different" browsers. E.g. you can use IE on
your computer to go to e.g. https://owa.domain.com/oma (well your OMA URL)
and you will be prompted for username and password -- which will _not_ be
shown as you explain in your original post (you can even try it on Mozilla
etc...).
Hotmail uses web form to get your password and in this case _yes_ you can
influence how you show the text box (on the side of HOTMAIL) and hide
password regardless of the phone settings. For OWA there is actually the
challenge response request from the server side (IIS) that will say "Hi, you
need to authenticate", to the client, but it is up to the client
implementation (in your case phone) to show you the dialog box where you can
enter username and password (and to hide (or not) the password.
You can see that this authentication dialog box is implemented differently
(and not up to IIS) in different browsers (e.g. IE and Mozilla). There is
nothing stopping the developer of the software (e.g. Mozilla) to implement
this dialog box in a way to _not_ hide the password or you could even
implement it in a way to hide even the username.
--
Mike, MCSA, MCSE, MCT, CISSP
Microsoft MVP - Windows Security
"DrED_Gasket" <DrEDGasket@discussions.microsoft.com> wrote in message
news:DB8A81AF-15C9-4BA1-88DC-5A8E5B398299@microsoft.com...[vbcol=seagreen]
>I believe that you are indeed incorrect. The password masking feature works
> correctly and quickly with other OMA enabled sites and other sites that
> require password validation such as HOTMAIL.
>
> I'm looking into whether the performance is related to a certificate chain
> being used, instead of a certificate being saved is the issue (along with
> any
> interference by an ISA Server)
>
> ED
>
> "Miha Pihler [MVP]" wrote:
>
| |
| DrED_Gasket 2005-08-22, 2:49 am |
| Thanks very much for your help. Appreciated.
"Miha Pihler [MVP]" wrote:
> You can always test it with "different" browsers. E.g. you can use IE on
> your computer to go to e.g. https://owa.domain.com/oma (well your OMA URL)
> and you will be prompted for username and password -- which will _not_ be
> shown as you explain in your original post (you can even try it on Mozilla
> etc...).
>
> Hotmail uses web form to get your password and in this case _yes_ you can
> influence how you show the text box (on the side of HOTMAIL) and hide
> password regardless of the phone settings. For OWA there is actually the
> challenge response request from the server side (IIS) that will say "Hi, you
> need to authenticate", to the client, but it is up to the client
> implementation (in your case phone) to show you the dialog box where you can
> enter username and password (and to hide (or not) the password.
> You can see that this authentication dialog box is implemented differently
> (and not up to IIS) in different browsers (e.g. IE and Mozilla). There is
> nothing stopping the developer of the software (e.g. Mozilla) to implement
> this dialog box in a way to _not_ hide the password or you could even
> implement it in a way to hide even the username.
>
> --
> Mike, MCSA, MCSE, MCT, CISSP
> Microsoft MVP - Windows Security
>
>
> "DrED_Gasket" <DrEDGasket@discussions.microsoft.com> wrote in message
> news:DB8A81AF-15C9-4BA1-88DC-5A8E5B398299@microsoft.com...
>
>
>
|
|
|
|
|