Documente Academic
Documente Profesional
Documente Cultură
The article is all about the subject of the security mechanism that is implemented
as part of the Autodiscover process.
In the current article, we relate to the middle part in the diagram that deals with
the task of Getting the Autodiscover information \ data .
The Autodiscover process was built for providing the client an efficient and secure
way for getting the required information from a server (Exchange or Autodiscover
Endpoint).
The meaning of a secure way, is translated into three major mandatory
requirements:
1. The ability to prove identity
Each of the involved parties in the Autodiscover session, meaning the client and the
server, need to identify himself and to proof his identity.
The client and the server must implement a model of mutual trust in which the
client can know that the server is a reliable source of information and the server
can know that the client is authorized to get a specific information.
Note along the current article we will mention the term public certificate.
Technically speaking the server certificate doesnt have to be considered as public
certificate what was created by a public CA (certificate authority).
In a public environment, the mandatory need is for a public certificate. Because
Exchange infrastructure provides services to an external client that reside on the
public network, we can see that the Exchange server must use a public certificate.
The server side (Exchange server) public certificate is used for two purposes:
1. The server ability to provide proof of identity to the Autodiscover client
The Exchange client (Autodiscover client) doesnt relay to know if the Exchange
server that he is trying to communicate is Is really who he says he is.
The server public certificate enables the Exchange server (the Autodiscover
Endpoint) to prove his identity to the Autodiscover client.
2. Wild-card certificate
The next example is the Office 365 Wildcard certificate.
In the following screenshot, we can see an interesting phenomenon all the huge
Office 365 and Exchange Online infrastructure, is represented by a very simple and
thin certificate.
Office 365 uses a Wildcard certificate that includes the domain names:
*.office365.com and, *.outlook.com
All of the Office 365 and Exchange Online server who belong to one of these
domains can use this certificate.
We can relate to the wild-card certificate as a logical umbrella for all the hosts
whom they FQDN name includes one of this domain name.
The certificate CA
In the following screenshot, we can see an example of a public certificate that was
created by a public CA GoDaddy
Many times, there is an additional CA that enroll other CA as an authority who can
enroll other servers.
In the world of security, the client must be sure behind any doubt that the
certificate that the server provide is a legitimate and can be trusted.
For this reason, after the server sends to the client his certificate, the client need to
pull Outlook from the certificate the Certificate trust chain.
The next step will be verifying any of the CA that appear in the Certificate trust
chain.
Q1: How can the client (the Autodiscover client) trust the certificate that is provided
by the server (the Autodiscover Endpoint)?
A1: The certificate that is provided by the server is stamped by a public CA.
Q2: Why should the client trust this CA?
A2: The basic assumption is that the client desktop includes a certificate store that
includes a list of approved public CA that the client can trust.
The answer is quite simple: every windows based OS includes by default a
database named: certificate store.
The certificate store includes the certificate if these public companies such as
GoDaddy, GTE Cyber Trust, DigiCert and more.
In the following screenshot, we can see an example to the inside of the windows
OS certificate store and the CA certificates.
The term certificate trusts chain describe a hierarchy of trust between entities.
To make simpler, many times the CA that authorized a specific server by providing
him a public certificate is a child or subordinate of additional CA that authorized
him.
When a client gets a public server certificate, besides of validating the details of the
specific server who provide the certificate, the client must verify all the hierarchy of
trust, meaning all of the CA that was involved throughout the process.
The information about the Certificate trust chain must appear as part of the
certificate.
Real life example: lets take for an example, the public certificate that I have.
Under the Certificate path tab, we can see a clear picture of the hierarchy.
The certificate was provided for a host named o365info.com by a CA (Certificate
authority) of GoDaddy.
In the following diagram, we can see a description of the Certificate trust chain
process.
Step 1+ 2 : the client accesses a server and asks him to provide his certificate.
When the client gets the server certificate, he verifies that the server name appears
in the certificate and if the name appears correctly the client move to the next step.
Written by Eyal Doron | o365info.com | Copyright 2012-2015
Now, the client will try to communicate the CA server (Go Daddy Secure
Certification Authority in our scenario) and ask from him to provide his public
certificate.
In case that the CA provide his public certificate, the client will check if this is the
end of the hierarchy.
In case that the answer is: Yes, the client moves to the next step.
Step 3: the client accesses his local certificate store, and looks for the CA certificate
(the last CA in the hierarchy).
In case that the CA certificate appears in the client certificate store and in case that
the certificate is valid, this is a sign for the client that he can relay trust the server
that he wants to communicate with.
Digital signature
Q3: How can the client be sure that the certificate is Legitimate and not fake?
A3: The public certificate includes a digital signature. The client know how to
implement a procedure in which he can verify if the certificate that the server
provides is the original certificate that he got from the CA.
A user named Bob, which has the E-mail address Bob@o365pilot.com wants to
create a new Outlook mail profile.
The Autodiscover process that is initialized by the Outlook client, will try to look for
a host named o365pilot.com and if he finds one, try to create an HTTPS session
and ask for the Autodiscover required information.
Scenario 1: no public website that is mapped to the domain name.
In our scenario, the company didnt publish or map the domain name to a public
web site.
Note there could be a different scenario in which the company has a website, and,
in addition, the root domain name was mapped in the DNS to the public IP of the
web address, but the website doesnt support HTTPS.
When the Autodiscover client starts the process, he will contact a DNS server
looking for information about the public IP of o365pilot.com
Because, in our scenario, there is no such information, the Autodiscover client
understand that he should start using the second method of Autodiscover
hostname using the naming convention autodiscover.o365pilot.com
In case that the Exchange server was configured correctly, the Autodiscover client
will find the IP address of the host, check if the host (Exchange server) support
HTTPS asks for the server certificate and so on.
Under the Certificate Path tab, we can see that there is no certificate chain
meaning we cannot find the element (the public CA) that provide this certificate.
(IP addresses returned: 85.250.113.157 and Testing TCP port 443 on host
o365pilot.com to ensure its listening and open).
The Autodiscover client asks for the server certificate, and the certificate was
Successfully sent to the Autodiscover client (number 3):
The Microsoft Connectivity Analyzer successfully obtained the remote SSL
certificate.
The certificate validation phase starts.
The first test that the Autodiscover clients perform is the validating that the
Autodiscover Endpoint name appears in the certificate (number 4).
In the ExRCA results, we can see that the server names (o365pilot.com) appear
correctlyValidating the certificate name. The certificate name was validated successfully.
Hostname o365pilot.com was found in the Certificate Subject Common name.
The next validation test that performed by the Autodiscover client is the Certificate
trust (number of 5).
In the test results, we can see that this test did not complete successfully
(number 5) because the server certificate was not created or provided by a trusted
CA:
Certificate trust is being validated. Certificate trust validation failed.
For this reason, the validity check will fail (and not continue) even before the
Autodiscover client will try to check\test the certificate trust path.
In the following screenshot, we can see that the first part of the Autodiscover
processes complete successfully (number 1 + 2).
The Autodiscover client manage to get the IP address of the Autodiscover Endpoint
(o365pilot.com) and, manage to verify that the Autodiscover Endpoint can
communicate using the HTTPS protocol.
The Autodiscover client asks for the server certificate and the certificate was
successfully sent to the Autodiscover client (number 3).