Outlook emails with embedded images are prompting Windows XP SP2 or SP3 users to authenticate

<< Back to Knowledge Search



The ProxySG is configured with seamless authentication, such as IWA or NTLM authentication.
The authentication prompting does not occur for workstations that are running Windows XP SP1.
The authentication prompting only occurs with Windows XP SP2 workstations and newer.
After upgrading to Windows XP SP2 or XP SP3, you receive an authentication prompt for Outlook emails
In Windows XP SP2 or XP SP3, users get an authentication prompt for Outlook emails with embedded images but are unable to view the content.


If you are experiencing this problem, you are likely using cookie-based transparent authentication with IWA or NTLM (single sign-on).  With the XP SP2 release and SP3, Microsoft implemented several security measures into both Outlook and Internet Explorer (IE) to protect against multiple attack vectors, the largest being email spoofing.

First, Outlook has just ONE zone - Restricted.  In this zone, you will always be prompted for credentials to mitigate email spoofing and other attacks.

Second, Windows XP SP2 implements two additional security measures for Outlook:

  1. HTTP Cookies are no longer sent for image downloads.
  2. HTTP Credentials are no longer sent for image downloads.

The workarounds for this situation are as follows:

Migrate to an explicit proxy deployment instead of a transparent proxy deployment

This issue is specific to transparent environments since the browser does not want to provide credentials upstream.  If an explicit proxy is configured, it will provide credentials to the proxy.

Use IP-based authentication instead of cookie-based authentication on the proxy

The caveat to this solution is if multiple people are using the same workstation, a second user logging into the machine could "piggy-back" on the previous user's credentials.  Using IP-based authentication is not recommended unless the cache-credential timeout (TTL) is very small.

To make the TTL change, go to the Management Console > Configuration tab > Authentication > Transparent Proxy.  There you can select the IP-based method and set an appropriate TTL.  For any VPM policy that has been configured, you will need to locate and modify the authentication rule in the Authentication Layer.  In the Authenticate column, right click and select "Edit".  From the mode pull-down field, select "Origin IP Redirect".

If you have a Citrix Metaframe or Windows Terminal Server environment where multiple users logon to the same server, using IP-based authentication will not work.  One possible workaround is to not authenticate any users coming from a terminal server.  Or you can set very restrictive policies for your terminal servers and not require authentication.

Contact Microsoft for the hotfix that allows you to edit the registry to allow the passing of cookies and credentials

Microsoft has a hotfix available that will allow Outlook HTML emails to behave as they did prior to upgrading to Windows XP SP2.  Be aware, however, that loading this hotfix removes the two security measures described previously that were implemented in XP SP2.  Please call Microsoft at 1-800-936-4900 and request HotFix 895948.  You may also reference Blue Coat's case with them:  SRX050221602713.

Bypassing authentication for Outlook 2007 user agent

In previous versions of Microsoft Outlook, the Outlook agent used Internet Explorer's user agent for making HTTP requests.  Starting with Microsoft Outlook 2007, Outlook now has its own user agent.  You can write policy in your visual policy manager (VPM) to bypass authentication for the Outlook 2007 user agent.  Please do the following steps:

  1. Login to the ProxySG's Management Console and go to the Configuration tab > Policy > Visual Policy Manager > Launch
  2. In the web authentication layer, click on "Add Rule".  Put your cursor in the source field, right click and select  "Set" > "New..." > "Request Header...".   Give it an appropriate name, such as "OutlookClient".  For the "Header Name:", select "User-Agent".  For "Header Regex:", type in "outlook".  Click on the OK button twice so that "OutlookClient" becomes your source.  For the Action, right click and select "Set", and then select "Do Not Authenticate".  Click the OK button twice.  (NOTE:  Rule placement here is important.  You may want to move this rule to the top of your web authentication layer so this gets hit.)
  3. Click on the web access layer.  Create a new rule.  For the "Source", use the same source you specified in step 2 above.  For "Destination", you can set restrictions, such as allowed sites or categories.  For "Action", right click and select "Allow".  Once you are satisfied with your new rules, click on "Install Policy".


Additional Information
Bug Number
InQuira Doc IdKB1034

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5
Topic      Authentication, Content Access, Usability
Article Number      000012513
Was this helpful?
Previous MonthNext Month