“…The admin said that, three months ago, his team had upgraded two front-end and back-end servers to Windows Server 2003 and Exchange Server 2003. Shortly after the upgrade, users randomly began reporting that they were being logged on to other people’s mailboxes with full privileges.

Microsoft was informed immediately, the administrator said.

“Microsoft did reproduce the problem and had mentioned that this had been a problem in their beta testing before Exchange had been released, and the problem was thought to be corrected but apparently not,” the admin said in an e-mail exchange with SearchSecurity.com. “Microsoft [had] us make all kinds of changes, and we thought the problem was gone, but it kept happening. We had to shut down OWA and could do no more testing because of the security risk.”

Microsoft released a statement late last week about this situation, and the company said the security issue occurs only if Kerberos authentication is disabled. Microsoft said such a configuration is rare because Kerberos is enabled by default in Exchange Server 2003. Kerberos is a secure method for authenticating a request for a network service.

The administrator, however, said Kerberos was enabled during and after the upgrade.

‘We did not turn off Kerberos or change any default configuration, so I am not sure what they are referring to,’ he said. ‘I believe there are other companies experiencing this issue — Microsoft [support] led us to believe this.’ “