Wednesday, January 11, 2012

Remember password with ISA Server

Here was a scenario I ran into recently.  A client had an ISA server 2006 deployment and used forms authentication against AD for logging in their customers. A long time request had been that users did not want to enter their username and password every time, they wanted the browser to remember their credentials.

After talking the customer through the fact that this was not a good idea from a security standpoint and not succeeding in dissuading them, I started to look for the solution. We took a look at the ISA settings on the server, but couldn't find anything in this regard. I was chatting to a colleague about this who had been making modifications to the ISA server login page to customize the HTML the end user would see, and he pointed out that there is a form option on the login page that turns auto complete on or off. Here is the piece of HTML that causes this:

form autocomplete="off" id="logonForm" method="post" action="/CookieAuth.dll?Logon"

Setting autocomplete="on" then allows the browser to save the username and password credentials.