Here is a little issue that I researched this week and I thought I’d share it on the blog.

PROBLEM: When accessing a website that is secured to use an NTLM authenticated password, the “Save Password” option does not work on Windows Mobile Pocket PCs and Smartphones.

Here are detailed steps that outline how to reproduce this problem using a Motorola/Symbol MC70 Pocket PC. Note that the test device was running Windows Mobile 5.0 AKU3.

1. Perform a “clean” reboot of the device which is a cold boot that resets all storage volumes on the device to factory defaults.
2. Configure a website connected to an Active Directory domain to use password authentication. During testing, you’ll need access to IIS Admin.
   1. Start out using basic authentication. In properties for the website, open the “Directory Securty” tab, click the “Edit” button for “Authentication and access control” and check the box for “Basic authentication”
   2. Use of HTTPS/SSL is irrelevant to the test. However, basic should not be used without SSL because the basic password is sent in clear text.
3. From the device, open the website in the Mobile IE browser. You will be prompted for the password. Note: “Realm” is included in the Basic authentication dialog box. For NTLM authentication, “domain” input is required.
4. Enter your domain\username and your password. Make sure to check the “Save Password” box. Then tap “OK”.
5. Confirm that your password-secured site renders in the Mobile IE browser.
6. At this point, if you were to refresh the page or even browse to a couple sites before revisting the site, you would not be asked for the password again. This is because the website page that was opened after authentication is cached. By exiting out of the browser session and re-opening the page, authentication occurs again. You can exist the browser session by warm resetting. But, it is easier to stop and restart the “internet explorer” process as follows:
   1. On the device, go to Settings/System tab/Memory/Running Programs tab.
   2. Select “Internet Explorer” from the “Running Programs List:”
   3. Tap the “Stop” button. This stops the browser process.
7. Re-open the Mobile IE browser on the device and browse to the website again. You should find that you do not need to enter the credentials this time for the web site because they are cached.

CONCLUSION: Save Password works with “Basic Auth”

8. Close the browser session again as described above in step #6.
9. In IIS admin, change the authentication for your website from basic to NTLM:
   1. Uncheck basic and check the box for “Integrated Windows Authentication” which is NTLM.
   2. Stop and restart the website to ensure the authentication change is implemented.
10. On the device, confirm that the “internet explorer” process is not running. If it is, stop the process.
11. Open Mobile IE and browse the website again. This time, you’ll see the following authentication dialog for NTLM (Windows Integrated) authentication. You’ll see that username and domain are cached from the previous use of your credentials for basic authentication. However, the previously cached password is not re-used.
12. Enter your password and be sure to check the “save password” box prior to tapping the “OK” button.
13. Confirm that your password-secured site renders in the Mobile IE browser.
14. Close the browser session again as described above in step #6.
15. Now re-open the website.
16. You will see the same authentication dialog that you saw in step# 11 above.

CONCLUSION: By default, the “Save Password” option exposed in the Mobile IE authentication dialog does not save the password for NTLM authentication cases.

WHY DOES THIS HAPPEN?: Underlying Mobile IE is the use of the Windows Internet API (wininet) which is a set of core code inherited from desktop windows. You may have noticed that in order to cache NTLM with desktop IE, you need to configure the website to be an “intranet” zone website. Furthermore, you have to set your security settings to use user authentication logon settings to use automatic logon only for intranet zone” or “Automatic Logon for user name and password”. Once the user of desktop IE has entered and saved their password for the “intranet” website one time, they no longer need to enter it on subsequent use. Mobile IE encounters the same problem as desktop IE, but in Windows Mobile IE, there is no configuration UI to allow the user to make these changes.

SOLUTION: You can add the website to the list of intranet sites by hacking the registry on the device. To configure http://www.yoursite.com/ and https://www.yoursite.com/ as “intranet” websites and therefore eligible for NTLM password caching:

1. Add the registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet settings\ZoneMap\domains\yoursite.com\www
2. Under this new key add 2 values: “http” and “https”
3. Set each of the 2 values to “1″

NOTES:

• The website domain name prefix (eg, “www”) is configured as a sub-key of the domain name (eg, “yoursite.com”).
• You need to configure each URI scheme (http, https, ftp, etc.) that may be used for the website. Each different URI scheme will require a separate instance of the cached password
• By setting value=”1″ for the URI scheme, you are configuring that full URI as a site in the “intranet” zone. Here is the value associated with all zones: 0 My Computer, 1 Local Intranet Zone, 2 Trusted sites Zone, 3 Internet Zone, 4 Restricted Sites Zone.
• For a full discussion of all security zone registry settings see KB 182569 – Internet Explorer security zones registry entries for advanced users
• There are a number of registry editors for Windows Mobile devices that you can download and use. However, you can use WAP Provisioning XML to query and write to the registry via the registry configuration service provider. You can use a tool such as rapiconfig to implement WAP provisioning XML on Windows Mobile devices. The rapiconfig tool is available in the Windows Mobile Software Development Kits.

Dave Field, CISSP, MCP
Device Managment and Security Architect
Enterprise Mobile, Inc.