#88 nhs.net OWA login

open
nobody
None
5
2014-12-27
2013-04-29
No

NHSmail uses Microsoft Office Outlook Web Access and is accessed at https://web.nhs.net/portal/

Unfortunately, the login page has an extra obstacle. This is an on-screen keyboard for the first three letters of password entry.

I would like to request extra coding to make DavMail compatible with nhs.net.

Thanks for writing this helpful connector.

Discussion

  • Mickael Guessant

    Looks like this on screen keyboard is just dumb client side script: the password field still exists but is hidden, it just concats field values to build standard field:

    document.getElementById("password").value = pwd1.value + pwd2.value;

    => DavMail may work even with this stupid javascript form !

     
  • Arnold Raynor

    Arnold Raynor - 2013-05-12

    I believe that the answer is somewhere in this source code for the login page https://web.nhs.net/CookieAuth.dll?GetLogon?curl=Z2Fportal&reason=0&formdir=5

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title>NHSmail</title>
    <meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
    <meta content="NOINDEX, NOFOLLOW" name="Robots" />
    <script src="/CookieAuth.dll?GetPic?formdir=5&amp;image=flogon.js" type="text/javascript"></script>
    <link href="/CookieAuth.dll?GetPic?formdir=5&amp;image=login.css" rel="stylesheet" type="text/css" />

    <link rel="stylesheet" type="text/css" href="/CookieAuth.dll?GetPic?formdir=5&amp;image=keyboard.css" />
    <!--[if IE]>
    <link href="/CookieAuth.dll?GetPic?formdir=5&amp;image=loginIE.css" rel="stylesheet" type="text/css" />
    <![endif]-->

    <script type="text/javascript" src="/CookieAuth.dll?GetPic?formdir=5&amp;image=keyboard.js" charset="UTF-8"></script>
    <script type="text/javascript">
    <!--

    var a_fGzpEnbl = 1;
    var g_fFcs = 1;

    function window_onload()
    {
    //Make user that the login page does not load in a frame
    if (top.location != location) {
    //top.location.href = document.location.href;
    top.location.href = "/";
    }
    onld();
    setFocus();
    document.getElementById("logonForm").setAttribute("autocomplete","off");
    }
    function setFocus() {
    if (document.getElementById("partUsername") != null && document.getElementById("partUsername").value == "")
    document.getElementById("partUsername").focus();
    else if (document.getElementById("password1") != null && document.getElementById("password1").value == "")
    document.getElementById("password1").focus();
    else if (document.getElementById("password2") != null && document.getElementById("password2").value == "")
    document.getElementById("password2").focus();
    }
    -->
    </script>
    </head>
    <body style="background-color:#ffffff;" onload="return window_onload();">
    <noscript>
    <div id="dvErr">
    <table cellpadding="0" cellspacing="0">
    <tr>
    <td><img src="/CookieAuth.dll?GetPic?formdir=5&amp;image=lgnerror.gif" alt="" /></td>
    <td style="width:100%">To use Microsoft Outlook Web Access, script must be enabled on your browser. For information about how to enable script, consult the Help for your browser. If your browser does not support script, you can download <a href='http://www.microsoft.com/windows/ie/downloads/default.mspx'>Microsoft Internet Explorer</a>.</td>
    </tr>
    </table>
    </div>
    </noscript>
    <form action="/CookieAuth.dll?Logon" method="post" id="logonForm">
    <input type="hidden" id="curl" name="curl" value="Z2Fportal" />
    <input type="hidden" id="flags" name="flags" value="0" />
    <input type="hidden" id="forcedownlevel" name="forcedownlevel" value="0" />

    <input type="hidden" id="formdir" name="formdir" value="5" />
    <div id="wwwLogin">
    <br /> <br />
    <p><strong>This service is for authorised users only. Anyone attempting unauthorised access will be considered for appropriate legal action.</strong></p> <br />
    <div></div> <br />

    <h2>Log in</h2>
    <div id="login">
    <div id="loginSection">

    <label for="username">Username:</label>
    <input class="username" type="text" id="partUsername" name="partUsername" onfocus="keyboardObject.VKI_close();" /> <br />
    <label for="password1">Password:</label>
    <div class="boxRight">
    <input class="password1 keyboardInput" type="password" id="password1" maxlength="3" onfocus="g_fFcs=0" onkeypress="return false;" onkeyup="return false;"/>
    <input class="password2" type="password" id="password2" onfocus="keyboardObject.VKI_close();g_fFcs=0"/>
    </div>
    <br /><br />

    <input class="wwwButton" id="SubmitCreds" type="submit" onclick="return clkLgn()" value="Log in" name="SubmitCreds" />
    <br />
    <span class="checkboxFieldPosition"><input id="rdoPblc" type="radio" name="trusted" value="0" onclick="clkSec()" checked="checked" /></span>
    <label class="labelLinePosition" for="rdoPblc">This is a public or shared computer</label><br />

    <div id="trPubExp" style="display:none">Select this option if you are connecting from a public computer. Be sure to log off and close all browser windows to end your session. Read about the <a href= 'http://go.microsoft.com/fwlink/?LinkId=65796'>security risks</a> of using a public computer.</div><br />
    <span class="checkboxFieldPosition"><input id="rdoPrvt" type="radio" name="trusted" value="4" onclick="clkSec()" /></span>
    <label class="labelLinePosition" for="rdoPrvt">This is a private computer</label><br />

    <div id="trPrvtExp" style="display:none">Select this option if you are the only person using this computer. This option provides additional time of inactivity before automatically logging you off.</div><br />
    <div id="trPrvtWrn" style="display:none"><B>Warning:</B> By selecting this option you acknowledge that the computer complies with your organisation's security policy.</div><br />
    <span class="checkboxFieldPosition"><input id="chkBsc" name="chkBsc" type="checkbox" onclick="clkBsc()" /></span>
    <label class="labelLinePosition" for="chkBsc">Tick this box if you require high contrast settings or have a slow internet connection</label><br />
    </div>
    <br />
    <br />

    <div id="keyboardContainer"></div>
    </div>

    </div>

    <input id="username" type="hidden" name="username" value="@nhs.net" />
    <input id="password" type="hidden" name="password" />
    </form>
    </body>
    </html>

     
  • Mickael Guessant

    Did you try to connect with DavMail ?

     
    • Arnold Raynor

      Arnold Raynor - 2014-09-11

      Hi Mickael, I would like to use DavMail from the internet. Have you been able to make this work?

       
      • Arnold Raynor

        Arnold Raynor - 2014-09-19

        Apologies, this reply should have been to Padraig Looney.

         
  • Padraig Looney

    Padraig Looney - 2013-06-24

    I have just connected to the nhs.net using DavMail from within the N3 network. That online keyboard thing appears when you are outside that network. I used the address

    https://outlook.nhs.net/ews/exchange.asmx

    I have experience using Java and am happy to help on this.

     
    • Arnold Raynor

      Arnold Raynor - 2014-09-19

      Dear Padraig, have you been able to make DavMail work from the internet?

       
  • Mickael Guessant

    Well, you could try to send me a WIRE DEBUG log file at mguessan@free.fr for further investigation

     
  • Arnold Raynor

    Arnold Raynor - 2014-11-29

    Dear Mickael,

    Thank you very much. The address which you have found with EWS in capital letters works!

    For reference and to help others, I am attaching screenshots of the DavMail and SeaMonkey configuration screens needed to set this up. For security, the user should use encryption on their hard drive. A user can become locked out of the server with this setup, and fixing this requires a password reset from within the internal network. I will try and find out how to avoid lock-outs.

    The EWS endpoint address was not obvious and this leads to a question: Could DavMail automatically search for and use the autodiscover response if the user supplies only the address for the outlook web login page?

    This is an extremely useful piece of software and I am very grateful that IMAP is now accessible again on this server. IMAP was previously available and despite reassurances that it would be maintained, it has been broken since 2009. DavMail repairs the fault which has been present for many years.

    Best regards,

    Arnold

     
  • Mickael Guessant

    DavMail already tries to autodiscover URL in case the user specified URL is wrong, however this does not always work.

    I intend to make Discover a full connection mode to automatically determine target Exchange server according to user name

     

Log in to post a comment.