SlideShare a Scribd company logo

Autodiscover flow in an office 365 environment part 3#3 part 31#36

Eyal Doron, profile picture
Eyal Doron

This document discusses the autodiscover flow in an Office 365 environment through a series of steps analyzed using the Microsoft Remote Connectivity Analyzer. It details how the autodiscover client resolves hostnames, tests server communication on port 443, validates SSL certificates, and manages client-server trust relationships. The article is part of a three-part series aimed at understanding the autodiscover process and troubleshooting it effectively.

Technology
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Page 1 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 The current article is the continuation of the previous article, in which we review the Autodiscover flow that is implemented in an Office 365 based environment, by using the Microsoft web based tool, the Microsoft Remote Connectivity Analyzer (ExRCA). Autodiscover flow in an Office 365 environment | The article series The current article is the third article in a series of three articles. The additional articles in the series are:  Autodiscover flow in an Office 365 environment | Part 1#3 | Part 29#36  Autodiscover flow in an Office 365 environment | Part 2#3 | Part 30#36
Page 2 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 7/20: Attempting to resolve the host name autodiscover- s.outlook.com in DNS. In this step, the Autodiscover client query the DNS server for the IP address of a host named –autodiscover-s.outlook.com In case that you are wondering from where the Autodiscover client gets this hostname, the answer is- from the URL address that was sent to him in the HTTP redirection response. Step 7/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see the Autodiscover client address the DNS server looking for the IP address of the host – autodiscover-s.outlook.com The host name resolved successfully. IP addresses returned: 157.56.241.102, 157.56.245.166, 157.56.232.166, 157.56.245.70, 157.56.236.214, 157.56.236.6 Step 8/20: Testing TCP port 443 on the host autodiscover- s.outlook.com to ensure it’s listening and open.
Page 3 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 The Autodiscover client will try to verify if the potential Autodiscover Endpoint is listing on port 443 (HTTPS). In our scenario, the HTTPS communication test succeeded, meaning that the destination host (the Autodiscover Endpoint) supports HTTPS communication. Note – 1. The fact that the “destination host” support HTTPS protocol doesn’t necessarily mean that the host is “right Exchange server” that can provide the required Autodiscover information. 2. Even in case that the “destination host” support the HTTPS protocol + the “destination host” is a valid Exchange server, it doesn’t mean that he can provide the required Autodiscover information. In our scenario, we will soon see that the “destination host” is not the “end of the journey” and he will not provide the Autodiscover client the required Autodiscover response but instead, an HTTPS redirection message. Step 8/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client tries to verify if the host –autodiscover-s.outlook.com, can communicate using TCP port 443. Testing TCP port 443 on host autodiscover-s.outlook.com to ensure it’s listening and open: The port was opened successfully.
Page 4 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 9/20: Attempting to obtain the SSL certificate from the remote server autodiscover-s.outlook.com on port 443 The Autodiscover “relationships” between the Autodiscover client and the Autodiscover Endpoint is built on a “trust concept”. The first phase is the step in which the Autodiscover client will need to trust the Autodiscover Endpoint and in the second phase, the Autodiscover Endpoint will need also to “trust” the Autodiscover client. The “trust” begins with the step, in which the Autodiscover Endpoint, needs to prove his identity. To be able to verify the Autodiscover Endpoint identity, the Autodiscover client will ask from the Autodiscover Endpoint to send him his public certificate. Step 9/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client asks from the host –autodiscover-s.outlook.com to send his certificate.
Page 5 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 The server sends his certificate and, in the result, we can see the details of the certificate: The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate. Remote Certificate Subject: CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US, Issuer: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US. Step 10/20: Testing the autodiscover-s.outlook.com SSL certificate to make sure it’s valid. The certificate validation test which the Autodiscover client performs includes three distinct different parts.
Page 6 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 1. Validating the certificate name The Autodiscover client addresses the potential Autodiscover Endpoint using the host name-autodiscover-s.outlook.com To be able to know a specific host is “reliable”, Autodiscover client will check if the certificate includes the specified host name (autodiscover-s.outlook.com) or in a wildcard certificate scenario, the domain name – *.outlook.com 2. Validating the certificate trust The public certificate that the server provide was created by a CA (certificate authority). The Autodiscover client will need to also to validate the identity of the certificate authority that provides the server his certificate. 3. Verify that the certificate date is valid. The Autodiscover client will need to verify that the server certificate date is valid. Note – In case that you want to read more detailed information about the subject of Autodiscover, security mechanism and certificates, read the article: Autodiscover process and Exchange security infrastructure | Part 20#36
Page 7 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 10/20: Analyzing the data from the ExRCA connectivity test In the Microsoft Remote Connectivity Analyzer result page, we can see information about the three different tests that the Autodiscover client performs to the public certificate that was sent by the server: 1. Validating the certificate name The Autodiscover client, verify that the server certificate includes the server FQDN or the server domain name. The certificate name was validated successfully. Hostname autodiscover-s.outlook.com was found in the Certificate Subject Alternative Name entry.
Page 8 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 2. Validating the certificate trust  The Autodiscover client verifies the trust chain that appears in the server certificate.  The Autodiscover client successfully manages to verify the trust chain. The certificate is trusted, and all certificates are present in the chain. The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US. One or more certificate chains were constructed successfully. 3. Verify that the certificate date is valid. The Autodiscover client verifies that the server certificate is still valid and was not expired. In our example, the test complete successfully meaning the server certificate is valid. Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn’t expired. The certificate is valid. NotBefore = 2/18/2014 11:41:01 PM, NotAfter = 2/18/2016 11:41:01 PM
Page 9 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 11/20: Checking the IIS configuration for client certificate authentication. The “trust channel” between the Autodiscover client and the Autodiscover Endpoint, is built on the ability of each party to prove his identity. In the former section, the Autodiscover client managed to successfully verify the server’s identity. Now, we are getting to the second part, in which the Autodiscover client will need to prove his identity to the server for getting the required Autodiscover information. The Autodiscover client, verify if the destination host (the Autodiscover Endpoint) needs a client certificate. (A client certificate, is a method in which the client can prove his identity). The use of a client certificate is very rare and, most of the time, the way that the client uses for “proof his identity” is by providing a user’s credentials. Step 11/20: Analyzing the data from the ExRCA connectivity test In the Microsoft Remote Connectivity Analyzer result page, we can see that
Page 10 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015  The Autodiscover client asks the server if a client certificate is required.  The server replies that he doesn’t need a client side certificate. Checking the IIS configuration for client certificate authentication. Client certificate authentication wasn’t detected. Accept/Require Client Certificates isn’t configured. Step 12/20: Providing user credentials to the Autodiscover Endpoint The Autodiscover proves his identity by providing a user’s credentials” (user name + password). Note – the part of “providing user credentials“, doesn’t appear in the Microsoft Remote Connectivity Analyzer result page Step 13/20: Attempting to send an Autodiscover POST request to potential Autodiscover URLs
Page 11 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Autodiscover client “think” that the host – autodiscover-s.outlook.com is a potential Autodiscover Endpoint and for this reason, the Autodiscover client creates a request for the Autodiscover information. Note that the term that is used for describing the Autodiscover Endpoint is – “a potential Autodiscover Endpoint”. The word “potential”, tell us that the Autodiscover client is aware of the fact that the host he is addressing, could be the final node or a node that will redirect him to additional Autodiscover Endpoint. In our scenario, the “answer” that the host autodiscover-s.outlook.com provide include a redirection message that redirects the Autodiscover client to additional potential Autodiscover Endpoint named – pod51049.outlook.com Step 13/20: Analyzing the data from the ExRCA connectivity test On the ExRCA result page, we can see the following information about the process: The Autodiscover client, address the Autodiscover Endpoint and ask for the Autodiscover response. The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from the URL – https://autodiscover-
Page 12 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 s.outlook.com/Autodiscover/Autodiscover.xml for user Bob@o365info.com The Autodiscover XML response was successfully retrieved. However, instead of getting the required Autodiscover information, the Autodiscover client gets a redirection answer to additional host: An HTTPS redirect was received in response to the Autodiscover request. The redirect URL ishttps://pod51049.outlook.com/Autodiscover/Autodiscover.xml. Step 14/20: Attempting to resolve the host name pod51049.outlook.com in DNS To be able to reach the host named – pod51049.outlook.com, the Autodiscover client will need to get information about the IP address of the specific host. Autodiscover connects a DNS server and asks for the IP address on – pod51049.outlook.com
Page 13 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 14/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover address, the DNS server and the DNS server reply by providing a list of IP addresses (IP address that are mapped to the host name). Attempting to resolve the host name pod51049.outlook.com in DNS. The host name resolved successfully. IP addresses returned: 132.245.229.146, 132.245.226.34, 157.56.251.217, 157.56.255.60, 132.245.210.9, 132.245.212.98, 157.56.250.66, 157.56.254.178, 2a01:111:f400:803c::2 Step 15/20: Testing TCP port 443 on host pod51049.outlook.com to ensure it’s listening and open. To be able to start the Autodiscover process with the potential Autodiscover Endpoint (pod51049.outlook.com), the Autodiscover client needs to verify that the destination host can communicate using the HTTPS protocol.
Page 14 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 15/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client tries to verify of the destination host can communicate using HTTPS and that the test was successfully completed, meaning the destination host is listing the communication requests that are sent to port 443. Testing TCP port 443 on host pod51049.outlook.com to ensure it’s listening and open. The port was opened successfully. Step 16/20: Asking from the potential Autodiscover Endpoint to provide a public server certificate The Autodiscover client needs to be sure, that the destination host can be trusted. For this reason, the Autodiscover client asks for the destination host (pod51049.outlook.com) to prove his identity by providing a public certificate.
Page 15 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 16/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client asks for the host – pod51049.outlook.com to send his certificate. The server sends his certificate and, in the result, we can see the details of the certificate: The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server pod51049.outlook.com on port 443. The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate. Step 17/20: Testing the pod51049.outlook.com SSL certificate to make sure it’s valid. The certificate validation test which the Autodiscover client performs, includes three different parts.
Page 16 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 1. Validating the certificate name The Autodiscover client addresses the potential Autodiscover Endpoint using the host name-pod51049.outlook.com To be able to know a specific host is “reliable”, Autodiscover client will check if the certificate includes the specified host name (pod51049.outlook.com) or in a wildcard certificate scenario, the domain name – *.outlook.com 2. Validating the certificate trust. The public certificate that the server provide was created by a CA (certificate authority). The Autodiscover client, will need to also to validate the identity of the certificate authority who provides the server his certificate. 3.Verify that the certificate date is valid. The Autodiscover client will need to verify that the server certificate date is valid.
Page 17 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Note – In case that you want to read more detailed information about the subject of Autodiscover, security mechanism and certificates, read the article: Autodiscover process and Exchange security infrastructure | Part 20#36 Step 17/20: Analyzing the data from the ExRCA connectivity test In the Microsoft Remote Connectivity Analyzer result page, we can see information about the three different tests that the Autodiscover client performs to the public certificate that was sent by the server: 1. Validating the certificate name. The client verifies that the server certificate includes the server FQDN or the server domain name. The certificate name was validated successfully. Hostname pod51049.outlook.com was found in the Certificate Subject Alternative Name entry.
Page 18 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 2. Validating the certificate trust. The client verifies the trust chain that appears in the server certificate. Certificate trust is being validated. The certificate is trusted, and all certificates are present in the chain. The Microsoft Connectivity Analyzer is attempting to build certificate chains for the certificate CN=outlook.com, OU=Exchange, O=Microsoft Corporation, L=Redmond, S=Washington, C=US. One or more certificate chains were constructed successfully. 3. Verify that the certificate date is valid. The client verifies that the server certificate is still valid and was not expired. In our example, the test complete successfully. Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn’t expired. The certificate is valid. NotBefore = 7/24/2014 6:34:15 PM, NotAfter = 7/23/2016 6:34:15 PM
Page 19 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 18/20: Checking the IIS configuration for client certificate authentication The Autodiscover client, check if the destination host (the Autodiscover Endpoint) needs a client certificate. A client certificate, is a method in which the client can prove his identity. Step 18/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client asks the server id he needs a client certificate; the server replies that he doesn’t need a client side certificate. Checking the IIS configuration for client certificate authentication. Client certificate authentication wasn’t detected. Accept/Require Client Certificates isn’t configured.
Page 20 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 19/20: Providing user credentials After the certificate validation, test was successfully completed and the Autodiscover client can “trust” the destination host, the Autodiscover client will also need to prove his identity. The Autodiscover client will identify himself by providing a user’s credentials” (User name + password). Note – the part of “providing user credentials “doesn’t appear in the ExRCA results. Step 20/20: Attempting to send an Autodiscover POST request to potential Autodiscover URLs. This is the “the last station” of the Autodiscover client journey.
Page 21 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 In our specific scenario, the host pod51049.outlook.com is the Office 365 Public facing Exchange server that will provide the Autodiscover client the required Autodiscover information, the Autodiscover information that is needed for creating a new Outlook mail profile, information about the available Exchange CAS server web services and enable the mail client to access his Office 365 mailboxes.
Page 22 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 20/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see the Autodiscover steps in which the Autodiscover client reaches his final destination. The Autodiscover addresses the Potential Autodiscover Endpoint by using the URL address –https://pod51049.outlook.com/Autodiscover/Autodiscover.xml and send a “Post request” asking for the Autodiscover information. The Potential Autodiscover Endpoint (Exchange Online CAS server) accepts the request and sends Autodiscover response to his client. The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://pod51049.outlook.com/Autodiscover/Autodiscover.xml for user bob@o365info.com The Autodiscover XML response was successfully retrieved. The Autodiscover response content The Autodiscover response includes tons of information. We will not review each of the “sections” that include in the Autodiscover responds, but just as an example, we can see a couple of details that include in the Autodiscover respond file:
Page 23 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 1. The Autodiscover Exchange provider (number 1). The exchange CAS server includes a couple of Outlook providers. The Autodiscover information includes a dedicated section for each of this provider. In our example, we took a screenshot of the part that includes the information for the EXCH provider – <Type>EXCH</Type> Note – If you need more detailed information about the Exchange Outlook providers, read the article – The content of the Autodiscover server response | Part 11#36 2. The “name” of the Exchange Online CAS server The Exchange Online infrastructure is built on the Exchange 2013 version. In the Exchange 2013 environment, the mail client doesn’t use the Exchange CAS server name but instead, the Autodiscover client gets a “session id” that serves as an “address” for the mail client. In our example, we can see the information about the “session address” that is provided to the mail client. <Server>e2437a8c-a37f-4e6a-bccd-26a71abd2543@o365info.com</Server> The Autodiscover response includes a detailed information about each of the Exchange CAS server web services that are “offered” to his clients. In the following example, we can see the information about the available services: 1. Availability services (FreeBusy time) (number 2). The URL address that the Outlook client is instructed to use is: <ASUrl>https://outlook.office365.com/EWS/Exchange.asmx</ASUrl> 2. Automatic reply (Out of office) services (number 3). The URL address that the Outlook client is instructed to use is: <OOFUrl>https://ex01.o365info.local/ews/exchange.asmx</OOFUrl> 3. Off line address book (number 4). The URL address that the Outlook client is instructed to use is:
Page 24 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 <OABUrl>https://outlook.office365.com/OAB/226ce079-2845-4fac-be53- 6ccebb70c82a/</OABUrl>

More Related Content

PPTX
Oauth 2.0 security
vinoth kumar
 
PPTX
Box connector
Thang Loi
 
PPTX
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PPTX
API Security - Null meet
vinoth kumar
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
PPTX
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
Stuart
 
PDF
Serverless microservices: Test smarter, not harder
DiUS
 
Oauth 2.0 security
vinoth kumar
 
Box connector
Thang Loi
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Codemotion
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
API Security - Null meet
vinoth kumar
 
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
Stuart
 
Serverless microservices: Test smarter, not harder
DiUS
 

What's hot (20)

PDF
Getting Started with FIDO2
FIDO Alliance
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PPTX
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
PDF
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PDF
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
PDF
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
PDF
OAuth - Open API Authentication
leahculver
 
Getting Started with FIDO2
FIDO Alliance
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
OAuth 2.0
Uwe Friedrichsen
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
OAuth2 + API Security
Amila Paranawithana
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
OAuth2 - Introduction
Knoldus Inc.
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
OAuth - Open API Authentication
leahculver
 
Ad

Viewers also liked (17)

PPT
Ашманов И.С. (2013.04.24) - Информационный суверенитет - новая реальность
mediamera
 
PDF
Should i use a single namespace for exchange infrastructure part 1#2 part ...
Eyal Doron
 
PPT
Величко М.В. (2012) — Территориальные инновации, их внедрение и кадровое обе...
mediamera
 
PDF
Exchange 2013 coexistence environment and the Exchange legacy infrastructure ...
Eyal Doron
 
PDF
WordPressでサイト作るときに始めにやっておきたいこと~パーマリンク編~
Akinori Tateyama
 
PDF
Boletim informativo - janeiro
bibliotecasjuliomartins
 
PPT
Chocolate Games
Desi Puspitasariku
 
PPT
IND-2012-333 SBS Ramsar Kalau  - Right to Education
designforchangechallenge
 
PDF
IND-2012-299 Alok Bharati Public School -Golden Hour
designforchangechallenge
 
PDF
Bottling sunshine
designforchangechallenge
 
PDF
The checklist for preparing your Exchange 2007 infrastructure for Exchange 20...
Eyal Doron
 
PDF
De-list your organization from a blacklist | My E-mail appears as spam | Part...
Eyal Doron
 
PPTX
Plivo OSDC FR 2012
mricordeau
 
PDF
PATHS system architecture
pathsproject
 
PDF
Semantic Hand-Tagging of the SenSem Corpus Using Spanish WordNet Senses
pathsproject
 
PDF
WordPressをカスタマイズするなら知っておきたいこと~テンプレート階層~
Akinori Tateyama
 
PDF
Presentación Drupal Commerce en OpenExpo Ecommerce
OpenExpo
 
Ашманов И.С. (2013.04.24) - Информационный суверенитет - новая реальность
mediamera
 
Should i use a single namespace for exchange infrastructure part 1#2 part ...
Eyal Doron
 
Величко М.В. (2012) — Территориальные инновации, их внедрение и кадровое обе...
mediamera
 
Exchange 2013 coexistence environment and the Exchange legacy infrastructure ...
Eyal Doron
 
WordPressでサイト作るときに始めにやっておきたいこと~パーマリンク編~
Akinori Tateyama
 
Boletim informativo - janeiro
bibliotecasjuliomartins
 
Chocolate Games
Desi Puspitasariku
 
IND-2012-333 SBS Ramsar Kalau  - Right to Education
designforchangechallenge
 
IND-2012-299 Alok Bharati Public School -Golden Hour
designforchangechallenge
 
Bottling sunshine
designforchangechallenge
 
The checklist for preparing your Exchange 2007 infrastructure for Exchange 20...
Eyal Doron
 
De-list your organization from a blacklist | My E-mail appears as spam | Part...
Eyal Doron
 
Plivo OSDC FR 2012
mricordeau
 
PATHS system architecture
pathsproject
 
Semantic Hand-Tagging of the SenSem Corpus Using Spanish WordNet Senses
pathsproject
 
WordPressをカスタマイズするなら知っておきたいこと~テンプレート階層~
Akinori Tateyama
 
Presentación Drupal Commerce en OpenExpo Ecommerce
OpenExpo
 
Ad

Similar to Autodiscover flow in an office 365 environment part 3#3 part 31#36 (20)

PDF
Autodiscover flow in an exchange on premises environment non-active director...
Eyal Doron
 
PDF
Autodiscover flow in an exchange on premises environment non-active director...
Eyal Doron
 
PDF
The autodiscover algorithm for locating the source of information part 05#36
Eyal Doron
 
PPTX
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
Scott Hoag
 
PPTX
Indianapolis mule soft_meetup_30_jan_2021 (1)
ikram_ahamed
 
PDF
Microsoft AZ-204 Exam Dumps
Study Material
 
PPTX
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
Nuno Árias Silva
 
DOC
Certification authority
proser tech
 
PDF
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
PDF
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Canada
 
PDF
Info On All Certificates
Pedro Santos
 
PPTX
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Nicole Bray
 
PPTX
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
Nuno Árias Silva
 
PPTX
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
Scott Hoag
 
PDF
Authentication With Captive Portal
Wavecrest Computing
 
PPTX
What's new in Azure Active Directory and what's coming new ?
Vignesh Ganesan I Microsoft MVP
 
PDF
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cisco Canada
 
PPTX
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
Scott Hoag
 
PDF
Sp 29 two_factor_auth_guide
Hai Nguyen
 
PDF
Cloud and On Premises Collaboration Security Explained
Cisco Canada
 
Autodiscover flow in an exchange on premises environment non-active director...
Eyal Doron
 
Autodiscover flow in an exchange on premises environment non-active director...
Eyal Doron
 
The autodiscover algorithm for locating the source of information part 05#36
Eyal Doron
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
Scott Hoag
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
ikram_ahamed
 
Microsoft AZ-204 Exam Dumps
Study Material
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
Nuno Árias Silva
 
Certification authority
proser tech
 
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Canada
 
Info On All Certificates
Pedro Santos
 
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Nicole Bray
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
Nuno Árias Silva
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
Scott Hoag
 
Authentication With Captive Portal
Wavecrest Computing
 
What's new in Azure Active Directory and what's coming new ?
Vignesh Ganesan I Microsoft MVP
 
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
Cisco Canada
 
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
Scott Hoag
 
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Cloud and On Premises Collaboration Security Explained
Cisco Canada
 

More from Eyal Doron (20)

PPTX
How to simulate spoof e mail attack and bypass spf sender verification - 2#2
Eyal Doron
 
PDF
How does sender verification work how we identify spoof mail) spf, dkim dmar...
Eyal Doron
 
PDF
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
Eyal Doron
 
PDF
Why our mail system is exposed to spoof and phishing mail attacks part 5#9 |...
Eyal Doron
 
PDF
What is the meaning of mail phishing attack in simple words part 4#9 | Eyal...
Eyal Doron
 
PDF
What is so special about spoof mail attack part 3#9 | Eyal Doron | o365info.com
Eyal Doron
 
PDF
What are the possible damages of phishing and spoofing mail attacks part 2#...
Eyal Doron
 
PDF
Dealing with a spoof mail attacks and phishing mail attacks a little story ...
Eyal Doron
 
PDF
Exchange In-Place eDiscovery & Hold | Introduction | 5#7
Eyal Doron
 
PDF
Mail migration to office 365 measure and estimate mail migration throughput...
Eyal Doron
 
PDF
Mail migration to office 365 factors that impact mail migration performance...
Eyal Doron
 
PDF
Mail migration to office 365 optimizing the mail migration throughput - par...
Eyal Doron
 
PDF
Mail migration to office 365 mail migration methods - part 1#4
Eyal Doron
 
PDF
Smtp relay in office 365 environment troubleshooting scenarios - part 4#4
Eyal Doron
 
PDF
Stage migration, exchange and autodiscover infrastructure part 1#2 part 35#36
Eyal Doron
 
PDF
Autodiscover flow in an exchange hybrid environment part 1#3 part 32#36
Eyal Doron
 
PDF
Autodiscover flow in an exchange on premises environment non-active director...
Eyal Doron
 
PDF
Outlook test e mail auto configuration autodiscover troubleshooting tools p...
Eyal Doron
 
PDF
Microsoft remote connectivity analyzer (exrca) autodiscover troubleshooting ...
Eyal Doron
 
PDF
Microsoft connectivity analyzer (mca) autodiscover troubleshooting tools pa...
Eyal Doron
 
How to simulate spoof e mail attack and bypass spf sender verification - 2#2
Eyal Doron
 
How does sender verification work how we identify spoof mail) spf, dkim dmar...
Eyal Doron
 
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
Eyal Doron
 
Why our mail system is exposed to spoof and phishing mail attacks part 5#9 |...
Eyal Doron
 
What is the meaning of mail phishing attack in simple words part 4#9 | Eyal...
Eyal Doron
 
What is so special about spoof mail attack part 3#9 | Eyal Doron | o365info.com
Eyal Doron
 
What are the possible damages of phishing and spoofing mail attacks part 2#...
Eyal Doron
 
Dealing with a spoof mail attacks and phishing mail attacks a little story ...
Eyal Doron
 
Exchange In-Place eDiscovery & Hold | Introduction | 5#7
Eyal Doron
 
Mail migration to office 365 measure and estimate mail migration throughput...
Eyal Doron
 
Mail migration to office 365 factors that impact mail migration performance...
Eyal Doron
 
Mail migration to office 365 optimizing the mail migration throughput - par...
Eyal Doron
 
Mail migration to office 365 mail migration methods - part 1#4
Eyal Doron
 
Smtp relay in office 365 environment troubleshooting scenarios - part 4#4
Eyal Doron
 
Stage migration, exchange and autodiscover infrastructure part 1#2 part 35#36
Eyal Doron
 
Autodiscover flow in an exchange hybrid environment part 1#3 part 32#36
Eyal Doron
 
Autodiscover flow in an exchange on premises environment non-active director...
Eyal Doron
 
Outlook test e mail auto configuration autodiscover troubleshooting tools p...
Eyal Doron
 
Microsoft remote connectivity analyzer (exrca) autodiscover troubleshooting ...
Eyal Doron
 
Microsoft connectivity analyzer (mca) autodiscover troubleshooting tools pa...
Eyal Doron
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Teaching material agriculture food technology
LiaRayya
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Cloud computing and distributed systems.
kkkkkhan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 

Autodiscover flow in an office 365 environment part 3#3 part 31#36

  • 1. Page 1 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 The current article is the continuation of the previous article, in which we review the Autodiscover flow that is implemented in an Office 365 based environment, by using the Microsoft web based tool, the Microsoft Remote Connectivity Analyzer (ExRCA). Autodiscover flow in an Office 365 environment | The article series The current article is the third article in a series of three articles. The additional articles in the series are:  Autodiscover flow in an Office 365 environment | Part 1#3 | Part 29#36  Autodiscover flow in an Office 365 environment | Part 2#3 | Part 30#36
  • 2. Page 2 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 7/20: Attempting to resolve the host name autodiscover- s.outlook.com in DNS. In this step, the Autodiscover client query the DNS server for the IP address of a host named –autodiscover-s.outlook.com In case that you are wondering from where the Autodiscover client gets this hostname, the answer is- from the URL address that was sent to him in the HTTP redirection response. Step 7/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see the Autodiscover client address the DNS server looking for the IP address of the host – autodiscover-s.outlook.com The host name resolved successfully. IP addresses returned: 157.56.241.102, 157.56.245.166, 157.56.232.166, 157.56.245.70, 157.56.236.214, 157.56.236.6 Step 8/20: Testing TCP port 443 on the host autodiscover- s.outlook.com to ensure it’s listening and open.
  • 3. Page 3 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 The Autodiscover client will try to verify if the potential Autodiscover Endpoint is listing on port 443 (HTTPS). In our scenario, the HTTPS communication test succeeded, meaning that the destination host (the Autodiscover Endpoint) supports HTTPS communication. Note – 1. The fact that the “destination host” support HTTPS protocol doesn’t necessarily mean that the host is “right Exchange server” that can provide the required Autodiscover information. 2. Even in case that the “destination host” support the HTTPS protocol + the “destination host” is a valid Exchange server, it doesn’t mean that he can provide the required Autodiscover information. In our scenario, we will soon see that the “destination host” is not the “end of the journey” and he will not provide the Autodiscover client the required Autodiscover response but instead, an HTTPS redirection message. Step 8/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client tries to verify if the host –autodiscover-s.outlook.com, can communicate using TCP port 443. Testing TCP port 443 on host autodiscover-s.outlook.com to ensure it’s listening and open: The port was opened successfully.
  • 4. Page 4 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 9/20: Attempting to obtain the SSL certificate from the remote server autodiscover-s.outlook.com on port 443 The Autodiscover “relationships” between the Autodiscover client and the Autodiscover Endpoint is built on a “trust concept”. The first phase is the step in which the Autodiscover client will need to trust the Autodiscover Endpoint and in the second phase, the Autodiscover Endpoint will need also to “trust” the Autodiscover client. The “trust” begins with the step, in which the Autodiscover Endpoint, needs to prove his identity. To be able to verify the Autodiscover Endpoint identity, the Autodiscover client will ask from the Autodiscover Endpoint to send him his public certificate. Step 9/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client asks from the host –autodiscover-s.outlook.com to send his certificate.
  • 5. Page 5 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 The server sends his certificate and, in the result, we can see the details of the certificate: The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate. Remote Certificate Subject: CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US, Issuer: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US. Step 10/20: Testing the autodiscover-s.outlook.com SSL certificate to make sure it’s valid. The certificate validation test which the Autodiscover client performs includes three distinct different parts.
  • 6. Page 6 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 1. Validating the certificate name The Autodiscover client addresses the potential Autodiscover Endpoint using the host name-autodiscover-s.outlook.com To be able to know a specific host is “reliable”, Autodiscover client will check if the certificate includes the specified host name (autodiscover-s.outlook.com) or in a wildcard certificate scenario, the domain name – *.outlook.com 2. Validating the certificate trust The public certificate that the server provide was created by a CA (certificate authority). The Autodiscover client will need to also to validate the identity of the certificate authority that provides the server his certificate. 3. Verify that the certificate date is valid. The Autodiscover client will need to verify that the server certificate date is valid. Note – In case that you want to read more detailed information about the subject of Autodiscover, security mechanism and certificates, read the article: Autodiscover process and Exchange security infrastructure | Part 20#36
  • 7. Page 7 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 10/20: Analyzing the data from the ExRCA connectivity test In the Microsoft Remote Connectivity Analyzer result page, we can see information about the three different tests that the Autodiscover client performs to the public certificate that was sent by the server: 1. Validating the certificate name The Autodiscover client, verify that the server certificate includes the server FQDN or the server domain name. The certificate name was validated successfully. Hostname autodiscover-s.outlook.com was found in the Certificate Subject Alternative Name entry.
  • 8. Page 8 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 2. Validating the certificate trust  The Autodiscover client verifies the trust chain that appears in the server certificate.  The Autodiscover client successfully manages to verify the trust chain. The certificate is trusted, and all certificates are present in the chain. The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US. One or more certificate chains were constructed successfully. 3. Verify that the certificate date is valid. The Autodiscover client verifies that the server certificate is still valid and was not expired. In our example, the test complete successfully meaning the server certificate is valid. Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn’t expired. The certificate is valid. NotBefore = 2/18/2014 11:41:01 PM, NotAfter = 2/18/2016 11:41:01 PM
  • 9. Page 9 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 11/20: Checking the IIS configuration for client certificate authentication. The “trust channel” between the Autodiscover client and the Autodiscover Endpoint, is built on the ability of each party to prove his identity. In the former section, the Autodiscover client managed to successfully verify the server’s identity. Now, we are getting to the second part, in which the Autodiscover client will need to prove his identity to the server for getting the required Autodiscover information. The Autodiscover client, verify if the destination host (the Autodiscover Endpoint) needs a client certificate. (A client certificate, is a method in which the client can prove his identity). The use of a client certificate is very rare and, most of the time, the way that the client uses for “proof his identity” is by providing a user’s credentials. Step 11/20: Analyzing the data from the ExRCA connectivity test In the Microsoft Remote Connectivity Analyzer result page, we can see that
  • 10. Page 10 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015  The Autodiscover client asks the server if a client certificate is required.  The server replies that he doesn’t need a client side certificate. Checking the IIS configuration for client certificate authentication. Client certificate authentication wasn’t detected. Accept/Require Client Certificates isn’t configured. Step 12/20: Providing user credentials to the Autodiscover Endpoint The Autodiscover proves his identity by providing a user’s credentials” (user name + password). Note – the part of “providing user credentials“, doesn’t appear in the Microsoft Remote Connectivity Analyzer result page Step 13/20: Attempting to send an Autodiscover POST request to potential Autodiscover URLs
  • 11. Page 11 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Autodiscover client “think” that the host – autodiscover-s.outlook.com is a potential Autodiscover Endpoint and for this reason, the Autodiscover client creates a request for the Autodiscover information. Note that the term that is used for describing the Autodiscover Endpoint is – “a potential Autodiscover Endpoint”. The word “potential”, tell us that the Autodiscover client is aware of the fact that the host he is addressing, could be the final node or a node that will redirect him to additional Autodiscover Endpoint. In our scenario, the “answer” that the host autodiscover-s.outlook.com provide include a redirection message that redirects the Autodiscover client to additional potential Autodiscover Endpoint named – pod51049.outlook.com Step 13/20: Analyzing the data from the ExRCA connectivity test On the ExRCA result page, we can see the following information about the process: The Autodiscover client, address the Autodiscover Endpoint and ask for the Autodiscover response. The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from the URL – https://autodiscover-
  • 12. Page 12 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 s.outlook.com/Autodiscover/Autodiscover.xml for user Bob@o365info.com The Autodiscover XML response was successfully retrieved. However, instead of getting the required Autodiscover information, the Autodiscover client gets a redirection answer to additional host: An HTTPS redirect was received in response to the Autodiscover request. The redirect URL ishttps://pod51049.outlook.com/Autodiscover/Autodiscover.xml. Step 14/20: Attempting to resolve the host name pod51049.outlook.com in DNS To be able to reach the host named – pod51049.outlook.com, the Autodiscover client will need to get information about the IP address of the specific host. Autodiscover connects a DNS server and asks for the IP address on – pod51049.outlook.com
  • 13. Page 13 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 14/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover address, the DNS server and the DNS server reply by providing a list of IP addresses (IP address that are mapped to the host name). Attempting to resolve the host name pod51049.outlook.com in DNS. The host name resolved successfully. IP addresses returned: 132.245.229.146, 132.245.226.34, 157.56.251.217, 157.56.255.60, 132.245.210.9, 132.245.212.98, 157.56.250.66, 157.56.254.178, 2a01:111:f400:803c::2 Step 15/20: Testing TCP port 443 on host pod51049.outlook.com to ensure it’s listening and open. To be able to start the Autodiscover process with the potential Autodiscover Endpoint (pod51049.outlook.com), the Autodiscover client needs to verify that the destination host can communicate using the HTTPS protocol.
  • 14. Page 14 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 15/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client tries to verify of the destination host can communicate using HTTPS and that the test was successfully completed, meaning the destination host is listing the communication requests that are sent to port 443. Testing TCP port 443 on host pod51049.outlook.com to ensure it’s listening and open. The port was opened successfully. Step 16/20: Asking from the potential Autodiscover Endpoint to provide a public server certificate The Autodiscover client needs to be sure, that the destination host can be trusted. For this reason, the Autodiscover client asks for the destination host (pod51049.outlook.com) to prove his identity by providing a public certificate.
  • 15. Page 15 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 16/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client asks for the host – pod51049.outlook.com to send his certificate. The server sends his certificate and, in the result, we can see the details of the certificate: The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server pod51049.outlook.com on port 443. The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate. Step 17/20: Testing the pod51049.outlook.com SSL certificate to make sure it’s valid. The certificate validation test which the Autodiscover client performs, includes three different parts.
  • 16. Page 16 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 1. Validating the certificate name The Autodiscover client addresses the potential Autodiscover Endpoint using the host name-pod51049.outlook.com To be able to know a specific host is “reliable”, Autodiscover client will check if the certificate includes the specified host name (pod51049.outlook.com) or in a wildcard certificate scenario, the domain name – *.outlook.com 2. Validating the certificate trust. The public certificate that the server provide was created by a CA (certificate authority). The Autodiscover client, will need to also to validate the identity of the certificate authority who provides the server his certificate. 3.Verify that the certificate date is valid. The Autodiscover client will need to verify that the server certificate date is valid.
  • 17. Page 17 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Note – In case that you want to read more detailed information about the subject of Autodiscover, security mechanism and certificates, read the article: Autodiscover process and Exchange security infrastructure | Part 20#36 Step 17/20: Analyzing the data from the ExRCA connectivity test In the Microsoft Remote Connectivity Analyzer result page, we can see information about the three different tests that the Autodiscover client performs to the public certificate that was sent by the server: 1. Validating the certificate name. The client verifies that the server certificate includes the server FQDN or the server domain name. The certificate name was validated successfully. Hostname pod51049.outlook.com was found in the Certificate Subject Alternative Name entry.
  • 18. Page 18 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 2. Validating the certificate trust. The client verifies the trust chain that appears in the server certificate. Certificate trust is being validated. The certificate is trusted, and all certificates are present in the chain. The Microsoft Connectivity Analyzer is attempting to build certificate chains for the certificate CN=outlook.com, OU=Exchange, O=Microsoft Corporation, L=Redmond, S=Washington, C=US. One or more certificate chains were constructed successfully. 3. Verify that the certificate date is valid. The client verifies that the server certificate is still valid and was not expired. In our example, the test complete successfully. Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn’t expired. The certificate is valid. NotBefore = 7/24/2014 6:34:15 PM, NotAfter = 7/23/2016 6:34:15 PM
  • 19. Page 19 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 18/20: Checking the IIS configuration for client certificate authentication The Autodiscover client, check if the destination host (the Autodiscover Endpoint) needs a client certificate. A client certificate, is a method in which the client can prove his identity. Step 18/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see that the Autodiscover client asks the server id he needs a client certificate; the server replies that he doesn’t need a client side certificate. Checking the IIS configuration for client certificate authentication. Client certificate authentication wasn’t detected. Accept/Require Client Certificates isn’t configured.
  • 20. Page 20 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 19/20: Providing user credentials After the certificate validation, test was successfully completed and the Autodiscover client can “trust” the destination host, the Autodiscover client will also need to prove his identity. The Autodiscover client will identify himself by providing a user’s credentials” (User name + password). Note – the part of “providing user credentials “doesn’t appear in the ExRCA results. Step 20/20: Attempting to send an Autodiscover POST request to potential Autodiscover URLs. This is the “the last station” of the Autodiscover client journey.
  • 21. Page 21 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 In our specific scenario, the host pod51049.outlook.com is the Office 365 Public facing Exchange server that will provide the Autodiscover client the required Autodiscover information, the Autodiscover information that is needed for creating a new Outlook mail profile, information about the available Exchange CAS server web services and enable the mail client to access his Office 365 mailboxes.
  • 22. Page 22 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 Step 20/20: Analyzing the data from the ExRCA connectivity test In the ExRCA result page, we can see the Autodiscover steps in which the Autodiscover client reaches his final destination. The Autodiscover addresses the Potential Autodiscover Endpoint by using the URL address –https://pod51049.outlook.com/Autodiscover/Autodiscover.xml and send a “Post request” asking for the Autodiscover information. The Potential Autodiscover Endpoint (Exchange Online CAS server) accepts the request and sends Autodiscover response to his client. The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://pod51049.outlook.com/Autodiscover/Autodiscover.xml for user bob@o365info.com The Autodiscover XML response was successfully retrieved. The Autodiscover response content The Autodiscover response includes tons of information. We will not review each of the “sections” that include in the Autodiscover responds, but just as an example, we can see a couple of details that include in the Autodiscover respond file:
  • 23. Page 23 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 1. The Autodiscover Exchange provider (number 1). The exchange CAS server includes a couple of Outlook providers. The Autodiscover information includes a dedicated section for each of this provider. In our example, we took a screenshot of the part that includes the information for the EXCH provider – <Type>EXCH</Type> Note – If you need more detailed information about the Exchange Outlook providers, read the article – The content of the Autodiscover server response | Part 11#36 2. The “name” of the Exchange Online CAS server The Exchange Online infrastructure is built on the Exchange 2013 version. In the Exchange 2013 environment, the mail client doesn’t use the Exchange CAS server name but instead, the Autodiscover client gets a “session id” that serves as an “address” for the mail client. In our example, we can see the information about the “session address” that is provided to the mail client. <Server>e2437a8c-a37f-4e6a-bccd-26a71abd2543@o365info.com</Server> The Autodiscover response includes a detailed information about each of the Exchange CAS server web services that are “offered” to his clients. In the following example, we can see the information about the available services: 1. Availability services (FreeBusy time) (number 2). The URL address that the Outlook client is instructed to use is: <ASUrl>https://outlook.office365.com/EWS/Exchange.asmx</ASUrl> 2. Automatic reply (Out of office) services (number 3). The URL address that the Outlook client is instructed to use is: <OOFUrl>https://ex01.o365info.local/ews/exchange.asmx</OOFUrl> 3. Off line address book (number 4). The URL address that the Outlook client is instructed to use is:
  • 24. Page 24 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36 Written by Eyal Doron | o365info.com | Copyright © 2012-2015 <OABUrl>https://outlook.office365.com/OAB/226ce079-2845-4fac-be53- 6ccebb70c82a/</OABUrl>