Beruflich Dokumente
Kultur Dokumente
The current article is the continuation of the previous article, in which we review the
Autodiscover flow that is implemented in an Office 365 based environment, by
using the Microsoft web based tool, the Microsoft Remote Connectivity Analyzer
(ExRCA).
Page 2 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 7/20: Attempting to resolve the host name autodiscover s.outlook.com in DNS.
In this step, the Autodiscover client query the DNS server for the IP address of a
host named autodiscover-s.outlook.com
In case that you are wondering from where the Autodiscover client gets this
hostname, the answer is- from the URL address that was sent to him in the HTTP
redirection response.
Step 7/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see the Autodiscover client address the DNS
server looking for the IP address of the host autodiscover-s.outlook.com
The host name resolved successfully. IP addresses returned: 157.56.241.102,
157.56.245.166, 157.56.232.166, 157.56.245.70, 157.56.236.214, 157.56.236.6
Step 8/20: Testing TCP port 443 on the host autodiscover s.outlook.com to ensure its listening and open.
Page 3 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
The Autodiscover client will try to verify if the potential Autodiscover Endpoint is
listing on port 443 (HTTPS).
In our scenario, the HTTPS communication test succeeded, meaning that the
destination host (the Autodiscover Endpoint) supports HTTPS communication.
Note
1. The fact that the destination host support HTTPS protocol doesnt
necessarily mean that the host is right Exchange server that can provide the
required Autodiscover information.
2. Even in case that the destination host support the HTTPS protocol + the
destination host is a valid Exchange server, it doesnt mean that he can
provide the required Autodiscover information.
In our scenario, we will soon see that the destination host is not the end of the
journey and he will not provide the Autodiscover client the required Autodiscover
response but instead, an HTTPS redirection message.
Step 8/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see that the Autodiscover client tries to verify if
the host autodiscover-s.outlook.com, can communicate using TCP port 443.
Testing TCP port 443 on host autodiscover-s.outlook.com to ensure its listening
and open: The port was opened successfully.
Page 4 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 9/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see that the Autodiscover client asks from the host
autodiscover-s.outlook.com to send his certificate.
Page 5 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
The server sends his certificate and, in the result, we can see the details of the
certificate:
The Microsoft Connectivity Analyzer successfully obtained the remote SSL
certificate.
Remote Certificate Subject: CN=outlook.com, OU=Microsoft Corporation,
O=Microsoft Corporation, L=Redmond, S=WA, C=US, Issuer: CN=Microsoft IT SSL
SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington,
C=US.
The certificate validation test which the Autodiscover client performs includes three
distinct different parts.
Page 6 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 7 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 10/20: Analyzing the data from the ExRCA connectivity test
In the Microsoft Remote Connectivity Analyzer result page, we can see information
about the three different tests that the Autodiscover client performs to the public
certificate that was sent by the server:
1. Validating the certificate name
The Autodiscover client, verify that the server certificate includes the server FQDN
or the server domain name.
The certificate name was validated successfully.
Hostname autodiscover-s.outlook.com was found in the Certificate Subject
Alternative Name entry.
Page 8 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 9 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 11/20: Analyzing the data from the ExRCA connectivity test
In the Microsoft Remote Connectivity Analyzer result page, we can see that
Page 10 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 11 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 13/20: Analyzing the data from the ExRCA connectivity test
On the ExRCA result page, we can see the following information about the process:
The Autodiscover client, address the Autodiscover Endpoint and ask for the
Autodiscover response.
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover
response from the URL https://autodiscover-
Page 12 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 13 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 14/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see that the Autodiscover address, the DNS server
and the DNS server reply by providing a list of IP addresses (IP address that are
mapped to the host name).
Attempting to resolve the host name pod51049.outlook.com in DNS. The host
name resolved successfully.
Page 14 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 15/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see that the Autodiscover client tries to verify of
the destination host can communicate using HTTPS and that the test was
successfully completed, meaning the destination host is listing the communication
requests that are sent to port 443.
Testing TCP port 443 on host pod51049.outlook.com to ensure its listening and
open. The port was opened successfully.
Page 15 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 16/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see that the Autodiscover client asks for the host
pod51049.outlook.com to send his certificate.
The server sends his certificate and, in the result, we can see the details of the
certificate:
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from
remote server pod51049.outlook.com on port 443. The Microsoft Connectivity
Analyzer successfully obtained the remote SSL certificate.
Page 16 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 17 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Note In case that you want to read more detailed information about the subject of
Autodiscover, security mechanism and certificates, read the article: Autodiscover
process and Exchange security infrastructure | Part 20#36
Step 17/20: Analyzing the data from the ExRCA connectivity test
In the Microsoft Remote Connectivity Analyzer result page, we can see information
about the three different tests that the Autodiscover client performs to the public
certificate that was sent by the server:
1. Validating the certificate name.
The client verifies that the server certificate includes the server FQDN or the server
domain name.
The certificate name was validated successfully. Hostname pod51049.outlook.com
was found in the Certificate Subject Alternative Name entry.
Page 18 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 19 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 18/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see that the Autodiscover client asks the server id
he needs a client certificate; the server replies that he doesnt need a client side
certificate.
Checking the IIS configuration for client certificate authentication. Client certificate
authentication wasnt detected. Accept/Require Client Certificates isnt configured.
Page 20 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 21 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
In our specific scenario, the host pod51049.outlook.com is the Office 365 Public
facing Exchange server that will provide the Autodiscover client the required
Autodiscover information, the Autodiscover information that is needed for creating
a new Outlook mail profile, information about the available Exchange CAS server
web services and enable the mail client to access his Office 365 mailboxes.
Page 22 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Step 20/20: Analyzing the data from the ExRCA connectivity test
In the ExRCA result page, we can see the Autodiscover steps in which the
Autodiscover client reaches his final destination.
The Autodiscover addresses the Potential Autodiscover Endpoint by using the URL
address https://pod51049.outlook.com/Autodiscover/Autodiscover.xml and send a
Post request asking for the Autodiscover information.
The Potential Autodiscover Endpoint (Exchange Online CAS server) accepts the
request and sends Autodiscover response to his client.
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover
response from URL https://pod51049.outlook.com/Autodiscover/Autodiscover.xml
for user bob@o365info.com
The Autodiscover XML response was successfully retrieved.
The Autodiscover response content
The Autodiscover response includes tons of information.
We will not review each of the sections that include in the Autodiscover responds,
but just as an example, we can see a couple of details that include in the
Autodiscover respond file:
Page 23 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
Page 24 of 24 | Autodiscover flow in an Office 365 environment | Part 3#3 | Part 31#36
<OABUrl>https://outlook.office365.com/OAB/226ce079-2845-4fac-be536ccebb70c82a/</OABUrl>