GMS and blank password security testing.

Is there any documentation that states categorically whether or not a passwordless mailbox can be authenticated to via GMS? If not, is there a client like tool that I can test GMS logon without a password?

All ActiveSync clients and tools that I have tried so far require a password be entered on the client side before the tool will attempt to authenticate. Is there one that will test with a null password?

  • 0  

    You should just be able to test basic authentication via curl, below should get you started

    curl -v -u "user" "">mail.example.com/Microsoft-Server-ActiveSync"

    Rodney

    If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button.   This helps others.

  • 0 in reply to   

    Thanks for getting me started. The precise command is

    curl -v -k -u domain\\username:password -H "Host:FQDN" --request OPTIONS ht7ps://FQDN/Microsoft-Server-ActiveSync

    Leaving the password off will result in a prompt for password. This can be used interactively on the command line, but does not lend to use in scripts.

    Valid examples are: (replace ht7ps with https)

    curl -v -k -u .\\sally:1234 -H "Host:gms.corporate.tld" --request OPTIONS ht7ps://gms.corporate.tld/Microsoft-Server-ActiveSync

    curl -v -k -u .\\sally -H "Host:10.23.45.67" --request OPTIONS ht7ps://10.23.45.67/Microsoft-Server-ActiveSync

    The above command prompts for Sally's password.

    For GMS 24.2 mailboxes with blank passwords cannot be logged into. These login attempts  cause the server to return

    HTTP/1.1 401 Unauthorized
    Access is Denied

  • 0  

    As far as I know a passwordless login is only possible with a GroupWise Windows client (if enabled); but is not recommended.

    Any other clients will need a password. Web client, GMS, IMAP clients, ....


    Use "Verified Answers" if your problem/issue has been solved!

  • Suggested Answer

    0   in reply to   

    Typically there is an LDAP authentication set on a PO and that inforces to use directory passwords. A GW client can work via SSO without providing a password directly within the client .. but there is already an authentication behind .. user must logon with AD account. So it is only "skipping" passwords for the application. I am not aware of a device that can use an SSO.

    The entire concept of SSL enabledSOAP / trusted application used by GMS implies security requirements where I do not see a point in login without any pwd. Although I have not seen that written directly, I suspect we would not allow such login.