How does outlook encrypt the password for windows credentials - security

I using IMsgServiceAdmin::ConfigureMsgService to configure a outlook profile for my exchange server.
When calling this function, windows will popup a dialog to enter the credentials. After I enter the credentials and save, I found it will create a Generic Credentials : MS.Outlook:#.:PUT and the password is encrypted. Such as "##...yBA"
I would like to how does outlook encrypt my password as I want to manually create the credentials before I call ConfigureMsgService so that the credentials windows won't show.
Thanks in advance.

I'm a Senior Escalation Engineer for Outlook here at Microsoft and received this exact question from a customer in the past. We asked the product team if they would be able to document the format used to publish credentials in credential manager. The answer is, no, we can't, because we routinely change the format as new scenarios crop up. It may not be obvious, but the target name of the credential will be different for different scenarios. That's the critical part. Without knowing all of the details for constructing that target name, knowing how to protect the password won't help you.

For Outlook 2010 and below, use CryptProtectData(). The data to protect is a Unicode string containing the password. The length of the data (in bytes) is 2*length of the password in chars excluding terminating 0x0.
For Outlook 2013 and up, CryptProtectData is not used - CredWrite takes the password.

Related

Why Outlook can't remember my password

I'm having trouble with Outlook 2016. It's always asking to enter our credentials even if it's supposed to remember it.The password is still valid.
We are also using skype for business but it's NOT linked with outlook (most of the functionalities) and it's using our local network credentials. Outlook is not using the same credential.
I need to know witch file/gpo I need to change to fix it and make sure it really can remember the password.
Thanks
The problem is not with outlook but it's more related to Windows credentials manager.
when you ask Outlook to save your password, this will be saved in your windows credentials, and outlook will reuse it whenever you are opening it.
for some reason when you have to change your account password, outlook will fail to update the one stored in Windows credentials.
Long story short, you will have to open your credentials manager (Start => look for "Credential manager")
Then you need to click on "Windows Credentials" to see a list of all stored credentials in which you wanna look for one that starts with "MS.Outlook", which will represent your saved email information that will be used whenever you open Outlook.
all you have to do is to expand the account details, then click on Edit, and provide the current password for your email account.
after you save the new password, now outlook will not complain anymore about your credentials :)

Vb Script to refresh excel with Credentials

I have an excel file that has data connections linked to SharePoint.
It asks for credentials to connect to SharePoint
I already have a VBScript in place that refreshes the excel automatically and saves it.
Is there a way in which I can embed the credentials and enter into the pop-up.
I am new to VBScript. Any help is appreciated.
Can you embed the credentials? Probably. The real question you should as is should you? If anyone were to gain access to your script, they would have the username and password to a domain account (or even a domain admin account if that is what you are using). Not good.

See what a user password is through powershell for office 365

This question is going against the grain of every best practice I've been taught, but it's a larger issue with my current organization. The crux of it is, I need to see what a users password currently is, not just reset it. There are a few reasons for this.
My organization has an active directory, but it is used solely for remote terminal services. There is propriety software in place that does not sync with anything and we manually create user accounts within these various programs/databases, and just manually set their credentials to the same ones they use to login to their office 365 account. The online exchange is the heart of our business, not the active directory.
Due to this, passwords are set to never expire, and a masterlist is kept of all users and their passwords. All of this is transparent to the end user, as far as they are concerned, they only have one account across everything because they're logins are the same for everything, but that is because we manually set their credentials as the same. Now when a user forgets their password (especially our mobile guys as they receive their phones/tablets already logged in and rarely know their passwords) we consult the master list. However, in this circumstance, the user, for whatever reason, is not in the masterlist.
This has probably been the case for months but was only just noticed when I had to set them up with a new tablet. The user does not know their password, and without the masterlist I can't see what it is. The only other option I see available to me is to reset the users exchange password (I'll explain the process I follow below) and have the user call me every time he is unable to login to something, go to it, and reset his password or (in some cases) create him a new account (which is not at all ideal as he will loose all of the linked data he has built up over the years) and start again.
I am well aware how poor these practices are and have been pushing hard to get them changed, but that is another matter.
Now the way I currently reset a users password (as the office365 webapp does not allow manually setting of passwords) is to run powershell off my IT laptop with the exchange, azure admin and azure sign in assistant plugins, and enter the following commands:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -credential $UserCredential -Authentication Basic –AllowRedirection
Login with my domain admin account
import-pssession $session
and
connect-msolservice
This gets me to the online exchange powershell session where I can run the password reset command
Set-MsolUserPassword –UserPrincipalName TYPE_USERNAME_HERE –NewPassword TYPE_DESIRED_PASSWORD_HERE -ForceChangePassword $False
However I need to see what the password currently is. In my searching I have found many resources explaining how to get information about when the password was last set, if it's set to never expire, that sort of thing. However so actual answers on how to retrieve the users current password (and display it in a readable format as, presumably, it will be encrypted). I have, however, been led to believe it is possible by this post I found:
Powershell Scripting example link
So I basically need to know what powershell commands to run to retrieve and decode a users current password. I am my organization I.T. Admin and have full admin rights. Also, this is my first stack exchange post so let me know if there's any additional information you need. I appreciate the help.
Short answer: It's not possible.
Passwords are not directly stored in Active Directory, they are hashed and it's that hash that is stored. When you enter your details, the system hashes the password you entered and compares it with what it has stored. The algorithm used to make that hash is one way only and as such, the only way to get back to a password is to brute force crack it.
Long answer: It might be possible if you change an AD setting which changes how passwords are stored (i.e. reversible encryption) but to do that would be pretty crazy.

Connecting to SSAS 2005 from Excel 2007 over http: how to make it ask for username and password?

I'm trying to let my users connect to OLAP cube in SSAS 2005 using Excel 2007 over the Internet.
I've set up dynamic security using fact table in cube. It uses UserName function, so users should authenticate to SSAS using windows accounts. I've set up msmdpump.dll component on IIS, allowing windows authentication, but not anonimous one. I created windows accounts on web/SSAS server for remote users. My users' machines are out of my control, I can not use pass-through windows authentication.
Now, if I create connection in Excel and save username and password in it, everything works. But I want users to download Excel file without embedded credentials from my web site, and than be able to enter their credentials. Best option is if they will enter password when opening Excel file.
Problem is as soon as I clear checkbox "save password" in connection properties, or remove "User ID"/"Password" properties from connection string, Excel gives me authentication error and does not save connection properties. So I cannot create a template document or connection file without embedded credentials.
Moreover, I suspect, Excel will not ask user for login/password anyway.
Do you know a solution to my problem? Maybe some workarounds/alternative ways? I appreciate any help.
it is really tough to get what you want to work, if at all. I don't think it will work "over the internet" like you want. They would have to be VPN'd in. Their machine doesnt have to be on the network, but they can still pass the AD credentials through.
http://blog.stevienova.com/2008/01/14/how-to-connect-to-sql-server-vs-tfs-etc-using-windows-authentication-when-computer-is-not-on-active-directory-domain-xp-and-vista/
There are other options to expose the cube in some other ways (SSRS, Excel Services, 3rd party OLAP through Web) that would allow you to do what you want.
Here's something that might be worth trying - in your connection string, get rid of the username and password and add 'prompt=1;'. This will force Excel to ask for the user's credentials before it tries to authenticate them, instead of just using empty credentials to do the authentication.

How do you support a web app with hashed or encrypted passwords?

When supporting a new web app in an enterprise environment, it is often necessary to log in as a specific user in order to diagnose a real or perceived problem they are having. Two opposing issues apply here:
Best practice is to use hashed or encrypted passwords, not clear text. Sometimes, there is a third-party SSO (single sign-on) in the middle. There is no way to retrieve the user's password. Unless the user provides it (not encouraged), there is no way to log in as that user.
Many web app's have personalization and complex authorization. Different users have different roles (admin, manager, user) with different permissions. Sometimes users can only see their data -- their customers or tasks. Some users have read-only access, while others can edit. So, each user's view of the web app is unique.
Assume that in an enterprise environment, it isn't feasible to go to the user's desk, or to connect directly to their machine.
How do you handle this situation?
Edit: I want to reiterate that in a large financial institution or typical Fortune 500 company with hundreds of thousands of employees all of the country, and around the world, it is not possible for a mere developer in some IT unit to be able to directly access a user's machine. Some of those are public-facing web apps used by customers (such as online banking and stock trading). And, many of those are intranet applications rely on Active Directory or an SSO, meaning that user credentials are the same for many applications. I do thank you all for your suggestions; some may be highly useful in other kinds of environments.
A number of these ideas inconvenience the user, either by forcing them to change their password, or by occupying their desktop for your debugging session.
Markc's idea is the best: augment your authentication logic to allow superusers to log in as a particular user by supplying not the user's credentials, but the user's name plus their superuser credentials.
I've done it like this in the past (pseudo-ish python):
if is_user_authenticated(username, userpassword):
login the user
else if ':' in userpassword:
supername, superpassword = userpassword.split(':')
if is_superuser_authenticated(supername, superpassword):
login the user
In other words, if the username and password don't authenticate, if the password has a colon, then it's actually the admin username and admin password joined by a colon, so login as the username if they are the right admin username and password.
This means you can login as the user without knowing their secrets, and without inconveniencing them.
For our web applications we use a process that for lack of a better term is defined as 'hijacking' a user's account.
Basically, administrators can 'hijack' a user's account with a simple button click. In the code, you simply use a unique identifier (user id works in a less secure environment) that then establishes the necessary credentials in the session so that they can then work within that user's profile. For a more secure environment you could use a unique hash for each user.
In order to ensure that this hijack method is secure, it always first verifies that the request is being made by an authenticated administrator with the appropriate rights. Because of this it becomes necessary for either the administrator's session to be hijacked or for their authentication credentials to be captured in order for someone to ever exploit the hijack function within the application.
I had 4 ideas. While I was typing 3 of them were already suggested (so I upvoted them)
Variant on idea 3 - impersonation:
To make this as "identical as possible" to a normal login with minimal code changes, you might add the ability to impersonate directly at login by supplying Admin credentials plus an alternate username, e.g. login as Admin:user, adminpassword. The system would treat this exactly as logging in as user with userpassword.
Idea 4: Can you access the password store? If so, temporarily replace the user's hash with the hash of a known password. (the passwords are often stored online in a database. A SQL Query tool can do the swaps )
An administrator should be able to change a user's password. Change the password for the user to something you know. You can then log in as that user.
Tell the user to reset his/her password after you are done debugging.
Usually by some sort of remote control software that can be used to view their desktop. If they're on a Windows terminal server, then the built in admin tools can be used for that. Otherwise I'd use something like VNC across an internal network, or an external service like LogMeIn (http://www.logmein.com/).
Could you have a testing environment where there is a regular cut of live data copied to (obviously sanitised to meet any security or data protection issues). A user similar in setup to the one having trouble could be used to troubleshoot or indeed the very user if this is allowed.
Use a remote desktop client as mentioned in other answers, but again this may not be practical for you. If you have these rights within the domain, I have heard of error handling even doing a screenscrape and including this in logs! but this sounds a little odd to me.
Could you have an admin tool to clone a user into a demo account?
The solution we have used in our web apps is to have the authN/authZ return the desired user as the effective user. We do this by having an admin feature to setup a masquerade, and then when we ask for the currently logged in user (current_user), we handle the masquerade:
def current_user_with_effective_user
if masked?
current_user_without_effective_user.masquerade_as
else
current_user_without_effective_user
end
end
alias_method_chain, :current_user, :effective_user

Resources