Secure Password Authentication

Hello,

Here's the setup:
Outlook Express using POP to a Windows SBS2003 exchange server, all service
packs/patches applied that I know of.

Everything seems to be functioning correctly until User B goes into the
Tools => user accounts section of OE and selects logon using secure password
authentication. Now, they get User A's mail. Any ideas of where to start?

I have SASL with NTLM and basic authentication selected, there is a valid
SSL when using that port.

Thanks,
JB



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4527 (20091020) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Hello JB,

Thanks for your post.

Based on my experience and tests, this should not happen if the user only select the "log on using Secure Password Authentication" option in his/her OE.

The explanation of this option is: "Specifies that you can use Secure Password Authentication to log on to this server. If you select this option, you might be prompted to log
on when you connect to this server. If you are prompted for a user name and password, this account information is usually supplied by the Internet service or connect
provider when you sign up for their service."

So at this point, I would like to suggest you double check if the user has configured multiple user accounts in the same OE profile. Please go to the mail account part and click
the "Mail" tab, make sure he/she has only one Exchange email account there. Also, please uncheck the "Remember Password" option under the Password text box. I
suspect the issue occurs if the user had multiple user accounts in the same OE profile and any accounts have the "Remember Password" option selected, so that when click
Send/Receive, all emails are received in this same inbox in this OE profile. Another way to avoid this is clicking the drop down button on the Send/Receive and select one of
the accounts each time. Please have a try.

Hope this helps. Also, if you have any questions or concerns, please do not hesitate to let me know.


Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

================================================== ================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/...i/default.aspx

Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/...i/default.aspx

If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/arch...ewsgroups.aspx
================================================== ================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ================
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ================

Thanks for your reply Robin,

I have checked that. I deleted the accounts in O.E. Recreated on that
specifically points to User B. Unchecked the remember password, it still
downloaded User A's e-mail.

Come to think of it, I didn't have to enter a password, so it still
remembers it somewhere. Any ideas?

Thanks again,
Justin




__________ Information from ESET NOD32 Antivirus, version of virus signature database 4530 (20091021) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Okay, I changed User A's password on the server, still, when the mail is
checked with logon using SPA, it is still downloaded when checked with User
B's credentials and logon using SPA checked.

Open to any and all ideas.

Thanks,
Justin



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4530 (20091021) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Sorry for all the replies, just posting what I have found.

No password needed to download mail from User A's account when logon using
SPA is checked. Still User B's account name is correct in OE.

Justin



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4530 (20091021) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Hi Justin,

Thanks for your prompt replies with the test results.

Based on further tests and research, I have reproduced the issue myself. It is a by design behavior if you enable the SPA for the current OE account.

Once it is enabled, the current account credential will be ignored no matter you select "Remember Password" or not. When you click the "Send/Receive" button, OE will use the
current Windows logon account's credential to send and receive emails. For example, you logon the client computer with user A's domain account. Open OE and create a new
OE identity and new OE account with user B's domain Exchange account information. If you enable SPA for the B account in OE, it will use the current A's logon credential to
send/receive emails and ignore B's credential that you configured in OE account, of course, they are A's emails. If SPA is NOT enabled, OE will still use B's credential.

IMO, it is similar to the Windows Integrated Authentication(NTLM) for SPA and Basic Authentication for non SPA. Windows Integrated Authentication is used prior to Basic
Authentication if both are enabled. Does it make sense?

If you have any questions or concerns, please do not hesitate to let me know.


Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

Hi Robin,

I'm glad you could reproduce it, it's not just me going nuts. The machine
that User B is checking mail from is not part of a domain. We did setup a
VPN connection using User A's credentials, however, User A's password has
been changed since.

Is there a 'fix' for this, so that User B can use SPA, User A could use SPA,
depending on their location (hotels, etc.) and User B not get User A's mail?

Are the credentials saved in the Registry, .ini file?

Thanks for your help and prompt replies,
Justin



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4533 (20091022) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Hi Justin,

Thanks for posting back.

However, as I indicated, it is neither a bug nor problem but a normal and by design behavior. The POP3 mail client uses the computer's VPN logon credential information for
SPA and assumes that the mailbox alias will be the same as the VPN logon account. That is to say, user B should NOT use A's credential for VPN logon, this is not a
expected behavior. Everyone *should* use his own domain credential for VPN or for any other authentications when accessing domain resource. That makes sense I think.

In short, user should use own domain credential to access domain resource so that the Windows Integrated Authentication will help. Otherwise, if you have to use other's
credential, please don't enable Windows Integrated Authentication - the SPA function in OE.

You may find more related information from the below KB articles:

POP3 Secure Password Authentication
http://support.microsoft.com/kb/191558

How to help secure SMTP client message delivery in Exchange 2003
http://support.microsoft.com/kb/823019

Thanks for your time and efforts.


Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

================================================== ================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/...i/default.aspx

Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/...i/default.aspx

If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/arch...ewsgroups.aspx
================================================== ================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ================
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ================

Thank you, I'll check into it some more.

Justin
""Robbin Meng [MSFT]"" <v-> wrote in message
news:...
>
> Hi Justin,
>
> Thanks for posting back.
>
> However, as I indicated, it is neither a bug nor problem but a normal and
> by design behavior. The POP3 mail client uses the computer's VPN logon
> credential information for
> SPA and assumes that the mailbox alias will be the same as the VPN logon
> account. That is to say, user B should NOT use A's credential for VPN
> logon, this is not a
> expected behavior. Everyone *should* use his own domain credential for VPN
> or for any other authentications when accessing domain resource. That
> makes sense I think.
>
> In short, user should use own domain credential to access domain resource
> so that the Windows Integrated Authentication will help. Otherwise, if you
> have to use other's
> credential, please don't enable Windows Integrated Authentication - the
> SPA function in OE.
>
> You may find more related information from the below KB articles:
>
> POP3 Secure Password Authentication
> http://support.microsoft.com/kb/191558
>
> How to help secure SMTP client message delivery in Exchange 2003
> http://support.microsoft.com/kb/823019
>
> Thanks for your time and efforts.
>
>
> Best regards,
> Robbin Meng(MSFT)
> Microsoft Online Newsgroup Support
>
> ================================================== ================
> Please post your SBS 2008 related questions to the SBS newsgroup on
> Connect website:
> https://connect.microsoft.com/sbs08/...i/default.aspx
>
> Please post your EBS related questions to the EBS newsgroup on Connect
> website:
> https://connect.microsoft.com/ebs08/...i/default.aspx
>
> If you want to use a newsreader other than a web forum to access these
> newsgroups,
> please refer to the following blog to apply NNTP password and configure a
> newsreader:
> http://msmvps.com/blogs/bradley/arch...ewsgroups.aspx
> ================================================== ================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> ================================================== ================
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4535 (20091023) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4535 (20091023) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

You are welcome, Justin : )

Thank you for your time and cooperation!

Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support