Legacy Silent Redirection - Speech mark / apostrophe in password


  • We've configured legacy silent redirection from our 2010 CAS server to redirect appropriate users to their 2003 front end Outlook Web Access server. This works seamlessly for most users.

    However, users with an apostrophe (') in their password don't automatically get logged on to the 2003 front-end. Exchange 2003 says, "Wrong username and password," and these users have to enter their credentials again.

    The reason for this is that, to do the redirect, /owa/auth.owa returns the a pre-filled form to the user's browser, with Javascript to auto-submit the form. The following is part of this form:

    <body onload='javascript:DoSubmit();'><form name='logonForm' id='logonForm' action='' method='post' target='_top'><input type='hidden' name='destination' value=''>

    <input type='hidden' name='flags'....><input type='hidden' name='username' value='testuser'><input type='hidden' name='password' value='t'estPass'><input type='hidden' name='isUtf8' value='1'></form></body></html>

    Obviously, the password needs escaping otherwise half of it gets missed in the html markup. Quite a simple problem, quite an easy fix, I think. The code that returns this is in a compiled dll so I can't figure any workaround. You can't escape the password on submission to 2010 since this also checks the password before returning it.

    Monday, June 10, 2013 1:28 PM

All replies

  • Slightly useful info: We're on Exchange 2010 SP3, Version: 14.03.0123.003
    Monday, June 10, 2013 1:32 PM
  • Hi,

    Yes, it’s still a known issues till the recent version of the Exchange 2010. Workaround is to avoid the apostrophe.

    You can submit your feedback to Microsoft by:


    Simon Wu
    TechNet Community Support

    Monday, June 17, 2013 11:10 AM
  • Is there an update that fixes this?

    Workaround not possible - we can't tell everyone to change their passwords not to have an apostrophe in them!

    Monday, June 17, 2013 12:02 PM