Scope
When you have multiple Edge Security Pack (ESP) SSO domains configured on your LoadMaster, clients are required to enter their credentials in the format "domain\user" or "user@domain".
In this type of scenario, it makes sense to have a greeting message notifying clients of this requirement, for example:
Welcome to webmail.kemp.com, please enter your credentials in the format "domain\user" or "user@domain"
The issue that arises here is that an XSS attack is triggered or the message doesn't appear in the form. This is due to the backslash "\" being a special regex character.
Solution
Escape the backslash in the greeting message with an additional backslash (\).
Configuration
To configure a greeting message, follow the steps below in the LoadMaster Web User Interface (WUI):
- Go to Virtual Services > View/Modify Services.
- Click Modify on the relevant Virtual Service.
- Expand the ESP Options section.
- Ensure ESP is enabled.
- Ensure the Client Authentication Mode is set to Form Based.
- Enter the SSO Greeting Message, for example Welcome to webmail.kemp.com, please enter your credentials in the format (domain\\user or user@domain).
- Click Set SSO Greeting Message.