Page MenuHomePhorge

implemented microsoft autodiscover v2 and secure autodiscover.xml
ClosedPublic

Authored by dhoffend on Feb 1 2020, 1:07 AM.
Tags
None
Referenced Files
F11589300: D931.id2155.diff
Thu, Mar 28, 10:37 PM
Unknown Object (File)
Sun, Mar 17, 12:30 PM
Unknown Object (File)
Mon, Mar 11, 12:21 PM
Unknown Object (File)
Wed, Mar 6, 11:19 PM
Unknown Object (File)
Feb 26 2024, 6:20 AM
Unknown Object (File)
Feb 14 2024, 6:00 AM
Unknown Object (File)
Feb 13 2024, 11:01 AM
Unknown Object (File)
Feb 12 2024, 10:48 PM

Details

Summary

Added support for json based autodiscover v2 which currently only supports Protocol ActiveSync or rediret to the XML based autodiscover v1

In addition this change implements basic authentication for autodiscover.xml to support the autodiscover/authentication flow and protect users data (prevents email testing/scraping)

Diff Detail

Repository
rAC autoconf
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dhoffend created this revision.
  • autodiscover.xml now requires basic authentication

This helps the autodiscover process. With basic auth enabled on
autodiscover.xml urls, the tested mobile clients no longer require to go
through the advanced settings page (tested on ios).

This also protects the autodiscover service to not leak senstive
information about existing users (showing display name) when using crafted
autodiscover requests with just a known email address without proper
authentication.

dhoffend retitled this revision from implemented microsoft autodiscover v2 to implemented microsoft autodiscover v2 and secure autodiscover.xml.Feb 2 2020, 12:36 AM
dhoffend edited the summary of this revision. (Show Details)

Start an unauthenticated autodiscover request with a known email address

# curl -H 'Content-Type: text/xml' -X POST -d '<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/requestschema/2006">
>   <Request>
>     <EMailAddress>XXXXX@kolab.org</EMailAddress>
>     <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006a</AcceptableResponseSchema>
>   </Request>
> </Autodiscover>' https://kolabnow.com/autodiscover/autodiscover.xml

The response

<?xml version="1.0" encoding="UTF-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
    <User>
      <DisplayName>Daniel Hoffend</DisplayName>
      <EMailAddress>XXXXX@kolab.org</EMailAddress>
    </User>
    <Action>
      <Settings>
        <Server>
          <Type>MobileSync</Type>
          <Url>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Url>
          <Name>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Name>
        </Server>
      </Settings>
    </Action>
  </Response>
</Autodiscover>

With an unknown email address, the DisplayName field stays empty.

  • autodiscover.xml now requires basic authentication
  • whitespace fix
  • tab/whitespace fix
  • reupload after pushing the wrong working copy
This revision is now accepted and ready to land.Feb 23 2020, 10:41 AM
This revision was automatically updated to reflect the committed changes.