Skip to content

Autodiscover flow in Active Directory based environment | Part 15#36

In the following article, we look “under the hood” of the Autodiscover method that implemented in Active Directory-based environment.
In the Active Directory-based environment, the process in which the Autodiscover client such as Outlook locates available Autodiscover Endpoint performed by addressing the Active Directory as a source of information for available Autodiscover Endpoints (available Exchange servers).

The available Autodiscover methods

Generally speaking, there are two main Autodiscover methods:

  1. Autodiscover in Active Directory environment
  2. Autodiscover methods in a non-Active Directory environment

In case that the user desktop in which the Outlook client is installed configured as a domain member, Outlook will allow start with the Autodiscover process by addressing in the query the local Active Directory.

In case that there is no option to locate the Active Directory, Outlook client will “move on” to the next Autodiscover method (in the next article – Autodiscover flow in an Exchange on-Premises environment | non-Active Directory environment| Part 1#3 | Part 26#36 , we will review in details this method).

Autodiscover process in On-Premise Active Directory environment

Creating a New Outlook mail profile in a domain environment

One of the most prominent features of the Autodiscover process in the On-Premise Active Directory environment is that we can describe this process as fully automated.

In a scenario in which the user desktop configured as a domain member, the only requirement from the user who needs to create a new Outlook mail profile is – just to open Outlook.

After a very short time, all the required settings will be automatically “delivered” to the Outlook client, and the user can access his mailbox and start reading his E-mail and so on.

The only question is – how does this “magic” happen?

The answer is that the Autodiscover was designed to simplify the process of getting the required information (configuration settings) from the “Autodiscover Endpoint” and this process is getting more simplified in an On-Premise Active Directory environment.

In a non-Active Directory environment, when the user needs to create a new Outlook mail profile, the user is required to provide the following details.

  1. User E-mail address
  2. User credentials

In Active Directory environment, the user doesn’t need to provide any details because, in a domain environment, the process is based on the user cache credentials.

  1. Credentials (Username + Password)In an Active Directory environment, because the user has already provided his credentials when he login to the domain, these credentials are automatically sent to the Exchange On-Premise server. (The technical term is cache credentials or Access token)
  2. Provide the user email address
    In a scenario in which the user is the log into the organization domain, the user email address is automatically “pulled” or “extract” from the On-Premise Active Directory user account. In other words: the user who creates the new Outlook mail profile doesn’t need to provide his E-mail address.
  3. Get the required configuration information from the Exchange server
    The process in which Outlook gets the configuration information that needed for creating the new Outlook mail profile is also “happened automatically”.

Outlook query the local Active Directory and ask a list of Exchange CAS server\s.
After getting the name\s of existing Exchange server\s, Outlook will try to connect one Exchange server from the list.

As mentioned the part in which the user will need to provide his E-mail and user credential of the Exchange server implemented automatically.

After the Exchange server to verify the user identity and the Outlook verify the Exchange server’s identity, Exchange sends the Outlook client the required configuration setting using the Autodiscover.xml file.

Configure a new Outlook mail profile in On-Premise Active Directory environment

On-Premise Active Directory as a source for information

One of the most noticeable advantages of the Active Directory is that the Active Directory serves as a “bulletin board” for her client.

Servers who provide a particular service, can register themselves in the Active Directory and by doing so, use the Active Directory as a “board” for the information.

Active Directory clients can address the Active Directory (using LDAP query) and ask for information about a particular service, who is the host who provides the service, etc.

On-Premise Active Directory as a Bulletin board

In our scenario, the Exchange CAS server registers himself in the Active Directory as “entity” that can provide Autodiscover service.

The On-Premise Active Directory allocates a dedicated location (part of the On-Premise Active Directory system partition) for this purpose, by using a folder named- SCP (Service Connection Point).

In the following diagram, we can see an example of this process.
Each time that a new Exchange On-Premise installed, the Exchange On-Premise accesses the Active Directory and, “report about himself.”

Exchange CAS servers register them self automatically at the SCP of the Active Directory

The term – “Autodiscover client”, can be translated to an Autodiscover client such as Outlook that needs to find Autodiscover Endpoint for creating a new Outlook mail profile and for other purposes, but at the same time, the “Autodiscover client” can be “other Exchange server.”

For example, a scenario in which Exchange server from Active Directory Site A, need to get information that is “represented” by an Exchange CAS server in Active Directory Site B.

The Active Directory as a Central market

Physical location of the SCP (Service Connection Point)

To be able to find the “physical path” of the SCP, we can use the Site and Service tools that installed on each of the DC servers.

After you have enabled the “View Services Node” option from the “View” tab, we can see the physical path of the On-Premise Active Directory configuration partition.

The SCP object can be found in AD at the following path:
CN=exchangeserver,CN=Autodiscover,CN=Protocols,CN=exchangeserver,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=org name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com

Active Directory SCP – The properties od Autodiscover Endpoint-02

Each of the Exchange CAS servers has the “Autodiscover folder” and the Autodiscover folder serves as a container for the Autodiscover Endpoint object (a particular Exchange CAS server).

To be able to see the property of a specific Autodiscover Endpoint (in our example ex01), we can right click on the Exchange CAS server name and choose the menu properties.

Active Directory SCP – The properties od Autodiscover Endpoint-02

The property named – ServiceBindingInformation

servicebindinginformation-03

The property named –Keywords, contain the Active Directory site name of a specific Exchange CAS server.

KEYWORD-04

Creating a new Outlook mail profile | The process behind the magic!

In the following section, we will analyze the process of Autodiscover in an Active Directory environment.

Because of the Autodiscover method that implemented in an Active Directory environment, the task of – “creating a new Outlook mail profile” is a very simple task that can be deployed by any user in a matter of seconds.

The real magic is that behind the scenes, the “simple task” is “translated” too sophisticated and smart infrastructure that helps to make this process to appear as “simple and easy”.

Task description

An organization user, get a new desktop, the user double-click on the Outlook icon and after a couple of seconds, Outlook profile was successfully completed, and the user can see his mail, send and receive mail and so on.

In the following section, we will review what was the sequence of events, which led to the above result

Phase 1 – query the local Active Directory

The communication between the Autodiscover client and the Active Directory implemented by using the LDAP protocol.

Step 1 – Client query the local Active Directory

The Autodiscover client (Outlook) creates an LDAP query and addresses the local Active Directory, asking for a list of URL address of existing Autodiscover Endpoint.
In other words – list of available Exchange CAS server\s

Step 2 – Active Directory look at the SCP partition, looking for a value of an attribute named – ServiceBindingInformation

The Active Directory SCP contains a different or a dedicated ServiceBindingInformation

The Exchange CAS server Autodiscover URL, is implemented by using the following format:
https://cas_server.domain/Autodiscover/Autodiscover.xml

The Exchange CAS server name is the internal Exchange server name (FQDN -Fully Qualified Domain Name)

In our example, the internal FQDN of the Exchange CAS server who was registered at the Active Directory SCP is – ex01.0365info.com and the Autodiscover URL will be:
https://ex01.0365info.com/autodiscover/autodiscover.xml

Additional information that the Active Directory “returns” to the Autodiscover client described as – Keywords

The “Keywords” contain information about the Exchange CAS server Active Directory site name.
(The Active Directory site name in which the Exchange CAS server resides).

When the Autodiscover client (Outlook) gets the list from the Active Directory, the Autodiscover client will prefer to address the Exchange CAS server, which has the same Active Directory site value, as the Active Directory site to which the Autodiscover client belongs also.

This method in which the Autodiscover client prefers to contact a particular Exchange CAS server over other Exchange CAS servers described as – Site Affinity

Autodiscover process in Active Directory environment - Phase 1 of 5 - LDAP Query

Phase 2 – query the local DNS server

Step 3 – The Autodiscover client will need to get the internal IP address of the Exchange CAS server. The Autodiscover client connects the internal DNS server. In our example, look for the IP address of the host named – ex01.o365info.lcoal

Step 4 – The DNS server reply (answer) to the DNS query and send the internal IP address of the specified hostname (192.168.1.10 in our example).

Autodiscover process in Active Directory environment - Phase 2 of 5 - DNS Query getting

Phase 3 – Mutual verification process

In this phase, the client (Outlook) and the “server” (the Exchange CAS server) will need to identify each other.

Step 5 – Outlook asks for the Exchange CAS server to prove his identity by providing a certificate.

Step 6 – The Exchange CAS server, send his certificate to the client and the client verifies the Exchange CAS server certificate.

Note – If you want to read more detailed information about the Autodiscover process, certificate and secure communication link, read the article – Autodiscover process and Exchange security infrastructure | Part 20#36

Step 7 – In case that the Exchange certificate is “OK”, the client sends his “identity” (user credentials) to the Exchange CAS server.

Step 8 – In case that the user credentials are correct, the process of mutual authentication and identification is completed.

Autodiscover process in Active Directory environment - Phase 3 of 5 - Mutual authentication and identification process

Phase 4 – communicate the Exchange CAS server using RPC or HTTP/S

Step 9 – the mail client (Outlook) asks from the Autodiscover Endpoint (Exchange CAS server) for the Autodiscover information (the Autodiscover.xml file)

Step 10 – The Exchange server “generate” the configuration file based on the Outlook version software and save it to a file named – Autodiscover.xml

Autodiscover process in Active Directory environment - Phase 4 of 5 - Requesting autodiscover.xml file

Step 11 – Outlook client gets the configuration file and create a new Outlook mail profile that includes all the required configuration settings.

Autodiscover process in Active Directory environment - Phase 5 of 5 - Creating the new Outlook mail profile

Autodiscover in the Active Directory environment a diagram representation

In the following diagram, we can see a representation of the “decision-making table” of the client that relates to the Autodiscover process.

We will not go into all the details in the diagram, but instead, I will just recap and emphasize some part of the Autodiscover process in an Active Directory environment.

Autodiscover client decision workflow - On-Premises Active directory environment - Part 1 of 2

Step 1 – the Autodiscover method is entirely dependent on the information that supposed to registered in the SCP partition in the Active Directory.

In other words, the Active Directory is the “information source authority” for providing the Autodiscover client information about available Autodiscover Endpoints.

Step 2 – in case that the Exchange organization includes more than one Exchange CAS server, the answer that will the Autodiscover client gets to include a list of “optional Autodiscover Endpoints”.

The Autodiscover client will need to implement some method for choosing the most “appropriate” Autodiscover Endpoint for him.

This approach described as “site affinity”. The Autodiscover client will “prefer” Autodiscover Endpoint that located in the same Active Directory as he.

Note: The term “located at the same Active Directory site as he” is not accurate because, in some scenarios, we can “register” a specific Exchange CAS server as an Exchange server the “belong” to a particular Active Directory while the Exchange CAS server physical location is at the Active Directory site.

Step 3 and Step 4.1 – in case that the Autodiscover client gets a list of available Autodiscover Endpoint, the client will try to communicate the “first Autodiscover Endpoint” and if the Autodiscover Endpoint is not an available, “move” to the next Autodiscover Endpoint in the list and so on.

Autodiscover client decision workflow - On-Premises Active directory environment - Part 2 of 2

Step 5.1, 5.2, 5.3 and step 6, are steps that need to successfully complete before starting the phase in which the Autodiscover Endpoint provides the desired information to his Autodiscover client.

The Autodiscover Endpoint must be sure that the Autodiscover Endpoint can be trusted, and vice versa – the Autodiscover Endpoint must identify the Autodiscover client.

Step 7 – the Autodiscover Endpoint (Exchange CAS server) generates the required information (Autodiscover response) and sends it to the Autodiscover client (Outlook).

Step 8 – this is the “happy end phase” in which, the Outlook client “take” the information and use it for creating a new Outlook mail profile.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *