Page MenuHomePhorge

implemented microsoft autodiscover v2 and secure autodiscover.xml
ClosedPublic

Authored by dhoffend on Feb 1 2020, 1:07 AM.
Tags
None
Referenced Files
F12287388: D931.id2218.diff
Tue, May 21, 7:58 AM
F12273417: D931.id2158.diff
Mon, May 20, 3:29 PM
Unknown Object (File)
Sun, May 19, 1:46 PM
Unknown Object (File)
Sat, May 18, 8:15 PM
Unknown Object (File)
Fri, May 17, 2:26 AM
Unknown Object (File)
Fri, May 10, 8:49 AM
Unknown Object (File)
Fri, May 10, 8:43 AM
Unknown Object (File)
Fri, May 10, 8:40 AM

Details

Summary

Added support for json based autodiscover v2 which currently only supports Protocol ActiveSync or rediret to the XML based autodiscover v1

In addition this change implements basic authentication for autodiscover.xml to support the autodiscover/authentication flow and protect users data (prevents email testing/scraping)

Diff Detail

Repository
rAC autoconf
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dhoffend created this revision.
  • autodiscover.xml now requires basic authentication

This helps the autodiscover process. With basic auth enabled on
autodiscover.xml urls, the tested mobile clients no longer require to go
through the advanced settings page (tested on ios).

This also protects the autodiscover service to not leak senstive
information about existing users (showing display name) when using crafted
autodiscover requests with just a known email address without proper
authentication.

dhoffend retitled this revision from implemented microsoft autodiscover v2 to implemented microsoft autodiscover v2 and secure autodiscover.xml.Feb 2 2020, 12:36 AM
dhoffend edited the summary of this revision. (Show Details)

Start an unauthenticated autodiscover request with a known email address

# curl -H 'Content-Type: text/xml' -X POST -d '<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/requestschema/2006">
>   <Request>
>     <EMailAddress>XXXXX@kolab.org</EMailAddress>
>     <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006a</AcceptableResponseSchema>
>   </Request>
> </Autodiscover>' https://kolabnow.com/autodiscover/autodiscover.xml

The response

<?xml version="1.0" encoding="UTF-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
    <User>
      <DisplayName>Daniel Hoffend</DisplayName>
      <EMailAddress>XXXXX@kolab.org</EMailAddress>
    </User>
    <Action>
      <Settings>
        <Server>
          <Type>MobileSync</Type>
          <Url>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Url>
          <Name>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Name>
        </Server>
      </Settings>
    </Action>
  </Response>
</Autodiscover>

With an unknown email address, the DisplayName field stays empty.

  • autodiscover.xml now requires basic authentication
  • whitespace fix
  • tab/whitespace fix
  • reupload after pushing the wrong working copy
This revision is now accepted and ready to land.Feb 23 2020, 10:41 AM
This revision was automatically updated to reflect the committed changes.