autodiscover flow in active directory based environment | part 15#36

of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Autodiscover flow in Active Directory based environment | Part 15#36

In the following article, we look “under the hood” of the Autodiscover method that

is implemented in Active Directory-based environment. In the Active Directory-

based environment, the process in which the Autodiscover client such as Outlook

locates available Autodiscover Endpoint, is implemented by addressing the Active

Directory as a source of information for available Autodiscover Endpoints (available

Exchange servers).

http://o365info.com/autodiscover-flow-active-directory-based-environment-part-15-of-36

https://il.linkedin.com/in/eyaldoron1

http://o365info.com/



The available Autodiscover methods

Generally speaking, there are two main Autodiscover methods:

1. Autodiscover in Active Directory environment

2. Autodiscover methods in a non-Active Directory environment

In case that the user desktop in which the Outlook client is installed configured as a

domain member, Outlook will allow start with the Autodiscover process by

addressing in the query the local Active Directory.

In case that there is no option to locate the Active Directory, Outlook client will

“move on” to the next Autodiscover method (in the next article – Autodiscover flow

in an Exchange on-Premises environment | non-Active Directory environment| Part

1#3 | Part 26#36 , we will review in details this method).




http://o365info.com/autodiscover-flow-in-an-exchange-on-premises-environment-non-active-directory-environment-part-1-of-3-part-26-of-36





Creating a New Outlook mail profile in a domain environment

One of the most prominent features of the Autodiscover process in the On-Premise

Active Directory environment is, that we can describe this process as fully

automated.

In a scenario in which the user desktop configured as a domain member, the only

requirement from the user who needs to create a new Outlook mail profile is – just

to open Outlook.

After a very short time, all the required settings will be automatically “delivered” to

the Outlook client and the user can access his mailbox and start reading his E-mail

and so on.






The only question is – how does this “magic” happened?

The answer is that the Autodiscover was designed to simplify the process of getting

the required information (configuration settings) from the “Autodiscover Endpoint”

and this process is getting more simplified in an On-Premise Active Directory

environment.

In a non-Active Directory environment, when the user needs to create a new

Outlook mail profile, the user is required to provide the following details.

1. User E-mail address

2. User credentials

In Active Directory environment, the user doesn’t need to provide any details

because, in a domain environment, the process is based on the user cache

credentials.

1. Credentials (Username + Password)In an Active Directory environment,

because the user has already provided his credentials when he login to

the domain, these credentials are automatically sent to the Exchange On-

Premise server. (The technical term is cache credentials or Access token)






2. Provide the user email address

In a scenario in which the user is the log into the organization domain, the

user email address is automatically “pulled” or “extract” from the On-

Premise Active Directory user account. In other words: the user who

creates the new Outlook mail profile doesn’t need to provide his E-mail

address.

3. Get the required configuration information from the Exchange server

The process in which Outlook gets the configuration information that are

needed for creating the new Outlook mail profile is also “happened

automatically”.

Outlook query the local Active Directory and ask a list of Exchange CAS server\s.

After getting the name\s of existing Exchange server\s, Outlook will try to connect

one Exchange server from the list.

As mentioned the part in which the user will need to provide his E-mail and user

credential of the Exchange server is implemented automatically.

After the Exchange server to verify the user identity and the Outlook verifies the

Exchange server’s identity, Exchange sends to the Outlook client the required

configuration setting using the Autodiscover.xml file.






On-Premise Active Directory as a source for

information

One of the most noticeable advantages of the Active Directory is that the Active

Directory serves as a “bulletin board” for her client.

Servers who provide a specific service, can register themselves in the Active

Directory and by doing so, use the Active Directory as a “board” for the information.

Active Directory clients can address the Active Directory (using LDAP query) and ask

for information about a specific service, who is the host who provides the service,

etc.






In our scenario, the Exchange CAS server registers himself in the Active Directory as

“entity” that can provide Autodiscover service.

The On-Premise Active Directory allocates a dedicated location (part of the On-

Premise Active Directory system partition) for this purpose, by using a folder

named- SCP (Service Connection Point).

In the following diagram, we can see an example of this process.

Each time that a new Exchange On-Premise is installed, the Exchange On-Premise

accesses the Active Directory and, “report about himself”






The term – “Autodiscover client”, can be translated to an Autodiscover client such as

Outlook that needs to find Autodiscover Endpoint for creating a new Outlook mail

profile and for other purposes, but at the same time, the “Autodiscover client” can

be “other Exchange server”.

For example, a scenario in which Exchange server from Active Directory Site A need

to get information that is “represented” by an Exchange CAS server in Active

Directory Site B.






Physical location of the SCP (Service Connection Point)

To be able to find the “physical path” of the SCP, we can use the Site and Service

tools that installed on each of the DC servers.

After you have enabled the “View Services Node” option from the “View” tab, we can

see the physical path of the On-Premise Active Directory configuration partition.

The SCP object can be found in AD at the following path:

CN=exchangeserver,CN=Autodiscover,CN=Protocols,CN=exchangeserver,CN=Servers,CN=

Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=org

name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com






Each of the Exchange CAS servers has the “Autodiscover folder” and the

Autodiscover folder serves as a container for the Autodiscover Endpoint object (a

specific Exchange CAS server).

To be able to see the property of a specific Autodiscover Endpoint (in our example

ex01), we can right click on the Exchange CAS server name and choose the

menu properties.






The property named – ServiceBindingInformation

The property named –Keywords, contain the Active Directory site name of a specific

Exchange CAS server.






Creating a new Outlook mail profile | The process

behind the magic!

In the following section, we will analyze the process of Autodiscover in an Active

Directory environment.

Because of the Autodiscover method that is implemented in an Active Directory

environment, the task of – “creating a new Outlook mail profile” is a very simple

task that can be implemented by any user in a matter of seconds.






The real magic is that behind the scenes, the “simple task” is “translated” too

complex and smart infrastructure that helps to make this process to appear as

“simple and easy”.

Task description

An organization user, get a new desktop, the user double-click on the Outlook icon

and after a couple of seconds, Outlook profile was successfully completed and the

user can see his mail, send and receive mail and so on.

In the following section, we will review what was the sequence of events, which led

to the above result

Phase 1 – query the local Active Directory

The communication between the Autodiscover client and the Active Directory is

implemented by using the LDAP protocol.

Step 1 – Client query the local Active Directory






The Autodiscover client (Outlook) creates an LDAP query and addresses the local

Active Directory, asking for a list of URL address of existing Autodiscover Endpoint.

In other words – list of available Exchange CAS server\s

Step 2 – Active Directory look at the SCP partition, looking for a value of an attribute

named –ServiceBindingInformation

The Active Directory SCP contains a different or a

dedicated ServiceBindingInformation

The Exchange CAS server Autodiscover URL, is implemented by using the following

format:

https://cas_server.domain/Autodiscover/Autodiscover.xml

The Exchange CAS server name, is the internal Exchange server name (FQDN -Fully

Qualified Domain Name)

In our example, the internal FQDN of the Exchange CAS server who was registered

at the Active Directory SCP is – ex01.0365info.com and the Autodiscover URL will be:

https://ex01.0365info.com/autodiscover/autodiscover.xml

Additional information that the Active Directory “returns” to the Autodiscover client

described as – Keywords

The “Keywords” contain information about the Exchange CAS server Active

Directory site name.

(The Active Directory site name in which the Exchange CAS server resides).

When the Autodiscover client (Outlook) gets the list from the Active Directory, the

Autodiscover client will prefer to address the Exchange CAS server, that has the

same Active Directory site value, as the Active Directory site to which the

Autodiscover client belongs also.

This method in which the Autodiscover client prefers to contact a specific Exchange

CAS server over other Exchange CAS servers described as – Site Affinity






Phase 2 – query the local DNS server

Step 3 – The Autodiscover client will need to get the internal IP address of the

Exchange CAS server. The Autodiscover client connects the internal DNS server. In

our example, look for the IP address of the host named – ex01.o365info.lcoal

Step 4 – The DNS server reply (answer) to the DNS query and send the internal IP

address of the specified host name (192.168.1.10 in our example).

Phase 3 – Mutual verification process






In this phase, the client (Outlook) and the “server” (the Exchange CAS server) will

need to identify each other.

Step 5 – Outlook asks for the Exchange CAS server to prove his identity by

providing a certificate.

Step 6 – The Exchange CAS server, send his certificate to the client and the client

verifies the Exchange CAS server certificate.

Note – If you want to read more detailed information about the Autodiscover

process, certificate and secure communication link, read the article – Autodiscover

process and Exchange security infrastructure | Part 20#36

Step 7 – In case that the Exchange certificate is “OK”, the client sends his “identity”

(user credentials) to the Exchange CAS server.

Step 8 – In case that the user credentials are correct, the process of mutual

authentication and identification is completed.

Phase 4 – communicate the Exchange CAS server using RPC or HTTP/S

Step 9 – the mail client (Outlook) asks from the Autodiscover Endpoint (Exchange

CAS server) for the Autodiscover information (the Autodiscover.xml file)




http://o365info.com/autodiscover-process-and-exchange-security-infrastructure-part-20-of-36

http://o365info.com/autodiscover-process-and-exchange-security-infrastructure-part-20-of-36



Step 10 – The Exchange server “generate” the configuration file based on the

Outlook version software and save it to a file named – Autodiscover.xml

Step 11 – Outlook client gets the configuration file and create a new Outlook mail

profile that includes all the required configuration settings.

Autodiscover in the Active Directory environment a

diagram representation






In the following diagram, we can see a representation of the “decision-making

table” of the client that relates to the Autodiscover process.

We will not go into all the details in the diagram, but instead, I will just recap and

emphasize some part of the Autodiscover process in an Active Directory

environment.

Step 1 – the Autodiscover method is fully dependent on the information that

supposed to be registered in the SCP partition in the Active Directory.






In other words, the Active Directory is the “information source authority” for

providing the Autodiscover client information about available Autodiscover

Endpoints.

Step 2 – in case that the Exchange organization includes more than one Exchange

CAS server, the answer that will the Autodiscover client gets to include a list of

“optional Autodiscover Endpoints”.

The Autodiscover client will need to implement some method for choosing the

most “appropriate” Autodiscover Endpoint for him.

This method described as “site affinity”. The Autodiscover client will “prefer”

Autodiscover Endpoint that is located in the same Active Directory as he.

Note – the term “located at the same Active Directory site as he” is not accurate

because, in some scenarios, we can “register” a specific Exchange CAS server as an

Exchange server the “belong” to a specific Active Directory while the Exchange CAS

server physical location is at the Active Directory site.

Step 3 and step 4.1 – in case that the Autodiscover client gets a list of available

Autodiscover Endpoint, the client will try to communicate the “first Autodiscover

Endpoint” and if the Autodiscover Endpoint is not an available, “move” to the next

Autodiscover Endpoint in the list and so on.






Step 5.1, 5.2, 5.3 and step 6, are steps that need to be successfully completed

before starting the phase in which the Autodiscover Endpoint provides the desired

information to his Autodiscover client.






The Autodiscover Endpoint, must be sure that the Autodiscover Endpoint can be

trusted and vice versa – the Autodiscover Endpoint must identify the Autodiscover

client.

Step 7 – the Autodiscover Endpoint (Exchange CAS server) generates the required

information (Autodiscover response) and sends it to the Autodiscover client

(Outlook).

Step 8 – this is the “happy end phase” in which, the Outlook client “take” the

information and use it for creating a new Outlook mail profile.




autodiscover flow in active directory based environment | part 15#36

Documents