SFB online Client Sign in and Authentication Deep Dive ;Part 2

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Skype for Business Blog articles.

First published on TECHNET on Apr 09, 2018
Scenario: Pure Online (O365) environment, SFB user is homed Online, NO ADFS, MA (Modern Auth) is Enabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.



How Does it Work?

Below is a High level explanation on how the SFB online Client Sign in process works

SIP URI of the user - e1@mshaikh.onmicrosoftcom

  1. SFB client Queries DNS for Lyncdiscover.domain.com. This should point to Webdir.online.lync.com

  2. SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

  3. The Client is then redirected to Autodiscover ( https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=mshaikh.onmicrosoft.com )

  4. SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

  5. The Client is then challenged and is provided the URL for Webticket service ( https://webdir2a.online.lync.com/WebTicket/WebTicketService.svc ) where it can request a Webticket

  6. The Client then sends a POST request to Webticket Service

  7. Webticket Service Redirects the Client to Modern Auth Provider (login.windows.net)

  8. Now in order to authenticate the client reaches out to Login.windows.net and requests a Token, The intention here is to Get a Token from login.windows.net, From this point onwards we will see that login.windows.net will redirect the client to login.microsoftonline.com. We will see several exchanges happening between client, login.microsoftonline.com and Login.windows.net

  9. The Client may receive a Password prompt and once the correct password is provided a token will be issued by Login.windows.net

  10. The Client then submits this token to Webticket Service

  11. Webticket service now will grant a Webticket to the Client

  12. The client then submits this webticket to Autodiscover

  13. In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

  14. The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

  15. It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

  16. The SFB client then sends a request to Certprov

  17. Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

  18. The Client had already Obtained a webticket in step 11 above

  19. The client will submit the same webticket obtained in step 11 to the Cert provisioning service

  20. The Client then receives a certificate

  21. The SFB client can now send a Register again and use the certificate it downloaded for authentication




Below is a graphical representation of the SFB online Client Sign in process



clip_image001[4]



Detailed Explanation of SFB online Client Sign in process with LOG Snippets:

SIP URI of the user - e1@mshaikh.onmicrosoftcom

When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover.

You can see the request and Response below

clip_image002[4]

The SFB Client learns that it needs to Contact https://webdir2a.online.lync.com/

It then tries to Do a TCP handshake with webdir2a.online.lync.com

You can see that in a Network trace, refer Screen shot below

clip_image003[4]

Once the Initial TCP handshake is Complete, The Client will perform a TLS Handshake,

You can see that in a Network trace, refer Screen shot below

clip_image004[4]

The client then sends a request to the Autodiscover URL for its own domain (in my case @mshaikh.onmicrosoft.com) and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below

clip_image005[4]

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

clip_image006[4]

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. Now since Modern Authentication is enabled on the Tenant, in order to grant the webticket the client will first need to get a Token from the Modern Auth provider so the client is redirected to the Modern Auth provider URL - <af:OAuth af:authorizationUri="https://login.windows.net/common/oauth2/authorize" xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />

clip_image007[4]

The Client then sends a request to the MA/Oauth URL to request a Token, The intention here is to Get a Token from login.windows.net

From this point onwards we will see that login.windows.net will redirect the client to - login.microsoftonline.com.

Below is the Request that client sends to the MA/OAUTH URL and in response it is redirected to AD - login.microsoftonline.com

clip_image008[4]

We have to remember that "The intention here is to Get a Token from login.windows.net" we will see several exchanges happening between client to login.microsoftonline.com. Below are screen shots showing these exchanges.

clip_image009[4]

Eventually the client will receive a Cookie from login.microsoftonline.com which is shown below

clip_image010[4]

The client then submits this cookie to login.windows.net which is the MA provider and Then, the Modern Auth provider will issue the MA token.

below is the message showing this

clip_image011[4]

At this Point the client has received the below token from the Modern Auth provider login.windows.net/common/oauth2/token

clip_image012[4]

Now the client will submit this token to the webticket URL, and the Webticket service will issue the webticket, Shown below

clip_image013[3]

The client will then submit this webticket to Autodiscover and in return it will receive the POOL names where it has to send the Register to Sign in.

clip_image014[3]

Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below

clip_image015[3]

In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication)

The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below

clip_image016[3]

This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours.

Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service.

The Process for this will again be the same, the client has to first get a Web ticket, to get a web ticket it needs to get a Token from O365 AD, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained now to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication.

The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below

clip_image017[3]

The Client then submits the Web Ticket that it had received to the Cert provisioning URL it received above, after this it receives a 200 OK and sign in is now complete

clip_image018[3]



Sign in is NOW Complete

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.