«

»

Oct 08

Mobile Discovery and Authentication Communication Flow

There isn't a lot of detailed documentation about what happens with Lync/Skype for Business mobility during the autodiscover phase. This article will detail how the mobile client eventually gets connected to the correct pool, especially if you have Directors or multiple pools in your environment.

I won't dig into the autodiscover process from the DNS standpoint. Several other articles have been written about that:

  1. Jeff Schertz 1
  2. Jeff Schertz 2
  3. Rune Dyrhaug Stoknes

In a nutshell, the UCWA (mobility) URL is obtained by Lync Mobile client as below
1. Lync 2013 Mobile client sends HTTP GET request to obtain the UCWA URLs
2. Client receives 401 Unauthorized response
3. Client authenticates again with Web Ticket
4. Client receives response with the UCWA URL

In the below example, the mobile client is out on the Internet somewhere. The user testuser@flinchbot.com is trying to login via the mobile client. The testuser@flinchbot.com account is homed on the Lync pool in Europe. 

After performing the DNS lookup, the mobile client is given a URL to a Director Pool in the United States. The Director Pool belongs to a Lync Pool in the US. Therefore, the next steps are the Director forwarding the request to the US pool to assist in finding the users home pool. (If you don't have a Director, this step would be skipped and you would connect directly to the Front End pool in the US.) The US Front End pool determines that the user is homed on a pool in Europe. The client gets redirected to that pool. After an authentication cycle, the client is given the direct public URL to login to the mobility service on the pool in Europe.

Remember that the first step is Autodiscover. This must happen before you actually connect to the Mobility service. This is why the process gets repeated on the Europe Pool. You need to "autodiscover" the URL for the Mobility service in Europe. The below diagram shows how autodiscover and the mobility service work together.

 autodiscover mobility

Below is a Visio diagram showing the detailed negotiation that happens. The diagram is broken in to three sections to help show to which server the mobile client is communicating with in each step.

Further down are log files from a capture of this activity showing the specific details returned during each step of the process.

mobility1

1. The client constructs the discover URL and sends an HTTP GET request

INFO APPLICATION CUcwaAutoDiscoveryService.cpp/1905:Successfully started the GetUserUrlOperation request for https://lyncdiscover.flinchbot.com/?sipuri=sip:testuser@flinchbot.com

2. The client receives URLs in response to the HTTP GET

INFO TRANSPORT TransportUtilityFunctions.cpp/1116:<ReceivedResponse>
GET https://lyncdiscover.flinchbot.com/?sipuri=sip:testuser@flinchbot.com
Request Id: 0515498C
HttpHeader:Cache-Control no-cache
HttpHeader:Content-Length 1137
HttpHeader:Content-Type application/vnd.microsoft.rtc.autodiscover+xml; v=1
HttpHeader:Date Tue, 18 Aug 2015 20:07:30 GMT
HttpHeader:Expires -1
HttpHeader:Pragma no-cache
HttpHeader:Server Microsoft-IIS/8.0
HttpHeader:StatusCode 200
HttpHeader:X-AspNet-Version 4.0.30319
HttpHeader:X-Content-Type-Options nosniff
HttpHeader:X-MS-Server-Fqdn Lync1.us.flinchbot.com
HttpHeader:X-Powered-By ASP.NET
<?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="External"><Root><Link token="Domain" href="https://webext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/domain?originalDomain=flinchbot.com" /><Link token="User" href="https://webext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=flinchbot.com" /><Link token="Self" href="https://webext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=flinchbot.com" /><Link token="OAuth" href="https://webext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=flinchbot.com" /><Link token="External/XFrame" href="https://webext.us.flinchbot.com/Autodiscover/XFrame/XFrame.html" /><Link token="Internal/XFrame" href="https://dirpoolweb.us.flinchbot.com/Autodiscover/XFrame/XFrame.html" /><Link token="XFrame" href="https://dirpoolwebext.us.flinchbot.com/Autodiscover/XFrame/XFrame.html" /></Root></AutodiscoverResponse>
</ReceivedResponse>

3. The client uses that response to make a request to the discovered external web URL to retrieve the home pool information. 

INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp/224:UcwaAutoDiscoveryGetUserUrlOperation completed with url = https://lyncdiscover.flinchbot.com/?sipuri=sip:testuser@flinchbot.com, userUrl = https://webext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=flinchbot.com, status = S0-0-0)

4. The client receives a 401 Unauthorized response with Web Ticket Service location in the header

INFO TRANSPORT TransportUtilityFunctions.cpp/1116:<ReceivedResponse>
GET https://webext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=flinchbot.com
Request Id: 0507771C
HttpHeader:Cache-Control no-cache
HttpHeader:Content-Length 1293
HttpHeader:Content-Type text/html
HttpHeader:Date Tue, 18 Aug 2015 20:07:30 GMT
HttpHeader:Server Microsoft-IIS/8.0
HttpHeader:StatusCode 401
HttpHeader:Strict-Transport-Security max-age=31536000; includeSubDomains
HttpHeader:X-Content-Type-Options nosniff
HttpHeader:X-MS-Server-Fqdn Lync1.us.flinchbot.com
HttpHeader:X-MS-WebTicketSupported cwt,saml
HttpHeader:X-MS-WebTicketURL https://dirpoolwebext.us.flinchbot.com/WebTicket/WebTicketService.svc
HttpHeader:X-Powered-By ASP.NET
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">

 

5. The client submits a request to the Web Ticket Service to retrieve the metadata exchange document (MEX). The client submits a Request Security Token to Web Ticket Service and supplies credentials.

INFO TRANSPORT CMetaDataManager.cpp/488:Sending Mex request for endpoint (https://dirpoolwebext.us.flinchbot.com/WebTicket/WebTicketService.svc) w/ sign-in name (testuser@flinchbot.com)
INFO TRANSPORT CMetaDataRequest.cpp/90:MEX response received.
2015-08-18 16:07:18.071 Lync[4844:1844] INFO TRANSPORT CWebTicketSession.cpp/564:Received webticket resposne with status S0-0-0)
2015-08-18 16:07:18.076 Lync[4844:1844] INFO TRANSPORT CWebTicketSession.cpp/668:New web ticket obtained

6. The client makes a request again to the https://dirpoolwebext.us.flinchbot.com/Autodiscover/Autodiscover.svc/root/user to retrieve specific user home pool information and provides the web ticket.

INFO TRANSPORT CBindingTransformationFactory.cpp/259:Using endpoint address https://dirpoolwebext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=flinchbot.com as the server address
INFO TRANSPORT TransportUtilityFunctions.cpp/735:<SentRequest> GET https://dirpoolwebext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=flinchbot.com Request Id: 0515498C HttpHeader:Accept application/vnd.microsoft.rtc.autodiscover+xml;v=1 HttpHeader:X-MS-WebTicket XXXXXXX </SentRequest>

7. The client gets the home pool information  

INFO APPLICATION CUcwaAppSession.cpp/1235:Updating URLs. For Ucwa: discoveredFqdn=https://webext.eu.flinchbot.com, applicationsRelativeUrl=/ucwa/v1/applications, configuredInternal=, configuredExternal=, loc=1, auto-discovery=1   

8. Client sends a request to the discovered home pool to get the UCWA URLs  

INFO TRANSPORT TransportUtilityFunctions.cpp/735:<SentRequest> GET https://webext.eu.flinchbot.com/ucwa/v1/applications Request Id: 05143B44 HttpHeader:Accept   </SentRequest>

9 and 10. The client repeats authentication steps against their home server.

11. Lync Autodiscover responds with the internal and external Lync services URLs for the user's home pool.

INFO TRANSPORT TransportUtilityFunctions.cpp/1116:<ReceivedResponse>
GET https://dirpoolwebext.us.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=flinchbot.com
Request Id: 0515498C
HttpHeader:Cache-Control no-cache
HttpHeader:Content-Length 2286
HttpHeader:Content-Type application/vnd.microsoft.rtc.autodiscover+xml; v=1
HttpHeader:Date Tue, 18 Aug 2015 20:07:31 GMT
HttpHeader:Expires -1
HttpHeader:Pragma no-cache
HttpHeader:Server Microsoft-IIS/8.0
HttpHeader:StatusCode 200
HttpHeader:Strict-Transport-Security max-age=31536000; includeSubDomains
HttpHeader:Via 1.1 Lync1.us.flinchbot.com RtcExt
HttpHeader:X-AspNet-Version 4.0.30319
HttpHeader:X-Content-Type-Options nosniff
HttpHeader:X-MS-Server-Fqdn LyncServ1.eu.flinchbot.com
HttpHeader:X-Powered-By ASP.NET

<?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="External"><User><SipServerInternalAccess fqdn="pool.eu.flinchbot.com" port="5061" /><SipClientInternalAccess fqdn="pool.ee.flinchbot.com" port="5061" /><SipServerExternalAccess fqdn="sip1.flinchbot.com" port="5061" /><SipClientExternalAccess fqdn="sip1.flinchbot.com" port="443" /><Link token="Internal/Autodiscover" href="https://poolweb.eu.flinchbot.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="Internal/AuthBroker" href="https://poolweb.eu.flinchbot.com/Reach/sip.svc" /><Link token="Internal/WebScheduler" href="https://poolweb.eu.flinchbot.com/Scheduler" /><Link token="Internal/CertProvisioning" href="https://poolweb.eu.flinchbot.com/CertProv/CertProvisioningService.svc" /><Link token="External/Autodiscover" href="https://poolwebext.eu.flinchbot.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="External/AuthBroker" href="https://poolwebext.eu.flinchbot.com/Reach/sip.svc" /><Link token="External/WebScheduler" href="https://poolwebext.eu.flinchbot.com/Scheduler" /><Link token="External/CertProvisioning" href="https://poolwebext.eu.flinchbot.com/CertProv/CertProvisioningService.svc" /><Link token="Internal/Mcx" href="https://poolwebext.eu.flinchbot.com/Mcx/McxService.svc" /><Link token="External/Mcx" href="https://poolwebext.eu.flinchbot.com/Mcx/McxService.svc" /><Link token="Ucwa" href="https://poolwebext.eu.flinchbot.com/ucwa/v1/applications" /><Link token="Internal/Ucwa" href="https://poolweb.eu.flinchbot.com/ucwa/v1/applications" /><Link token="External/Ucwa" href="https://poolwebext.eu.flinchbot.com/ucwa/v1/applications" /><Link token="External/XFrame" href="https://poolwebext.eu.flinchbot.com/Autodiscover/XFrame/XFrame.html" /><Link token="Internal/XFrame" href="https://poolweb.eu.flinchbot.com/Autodiscover/XFrame/XFrame.html" /><Link token="XFrame" href="https://poolwebext.eu.flinchbot.com/Autodiscover/XFrame/XFrame.html" /><Link token="Self" href="https://poolwebext.eu.flinchbot.com/Autodiscover/AutodiscoverService.svc/root/user" /></User></AutodiscoverResponse>
</ReceivedResponse>
INFO APPLICATION CUcwaAppSession.cpp/1235:Updating URLs. For Ucwa: discoveredFqdn=https://poolwebext.eu.flinchbot.com, applicationsRelativeUrl=/ucwa/v1/applications, configuredInternal=, configuredExternal=, loc=1, auto-discovery=1

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

%d bloggers like this: