Page MenuHomePhorge

implemented microsoft autodiscover v2 and secure autodiscover.xml
ClosedPublic

Authored by dhoffend on Feb 1 2020, 1:07 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 7, 10:08 PM
Unknown Object (File)
Sat, Dec 7, 4:11 PM
Unknown Object (File)
Sat, Dec 7, 3:26 PM
Unknown Object (File)
Sat, Dec 7, 9:10 AM
Unknown Object (File)
Fri, Dec 6, 8:11 PM
Unknown Object (File)
Fri, Dec 6, 5:40 PM
Unknown Object (File)
Thu, Dec 5, 12:56 PM
Unknown Object (File)
Tue, Dec 3, 1:11 AM

Details

Summary

Added support for json based autodiscover v2 which currently only supports Protocol ActiveSync or rediret to the XML based autodiscover v1

In addition this change implements basic authentication for autodiscover.xml to support the autodiscover/authentication flow and protect users data (prevents email testing/scraping)

Diff Detail

Repository
rAC autoconf
Branch
autodiscoverv2
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 27988
Build 9976: arc lint + arc unit

Event Timeline

dhoffend created this revision.
  • autodiscover.xml now requires basic authentication

This helps the autodiscover process. With basic auth enabled on
autodiscover.xml urls, the tested mobile clients no longer require to go
through the advanced settings page (tested on ios).

This also protects the autodiscover service to not leak senstive
information about existing users (showing display name) when using crafted
autodiscover requests with just a known email address without proper
authentication.

dhoffend retitled this revision from implemented microsoft autodiscover v2 to implemented microsoft autodiscover v2 and secure autodiscover.xml.Feb 2 2020, 12:36 AM
dhoffend edited the summary of this revision. (Show Details)

Start an unauthenticated autodiscover request with a known email address

# curl -H 'Content-Type: text/xml' -X POST -d '<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/requestschema/2006">
>   <Request>
>     <EMailAddress>XXXXX@kolab.org</EMailAddress>
>     <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006a</AcceptableResponseSchema>
>   </Request>
> </Autodiscover>' https://kolabnow.com/autodiscover/autodiscover.xml

The response

<?xml version="1.0" encoding="UTF-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
    <User>
      <DisplayName>Daniel Hoffend</DisplayName>
      <EMailAddress>XXXXX@kolab.org</EMailAddress>
    </User>
    <Action>
      <Settings>
        <Server>
          <Type>MobileSync</Type>
          <Url>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Url>
          <Name>https://apps.kolabnow.com/Microsoft-Server-ActiveSync</Name>
        </Server>
      </Settings>
    </Action>
  </Response>
</Autodiscover>

With an unknown email address, the DisplayName field stays empty.

  • autodiscover.xml now requires basic authentication
  • whitespace fix
  • tab/whitespace fix
  • reupload after pushing the wrong working copy
This revision is now accepted and ready to land.Feb 23 2020, 10:41 AM
This revision was automatically updated to reflect the committed changes.