Page 1 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Autodiscover flow in Active Directory based environment | Part 15#36

In the following article, we look under the hood of the Autodiscover method that
is implemented in Active Directory-based environment. In the Active Directorybased environment, the process in which the Autodiscover client such as Outlook
locates available Autodiscover Endpoint, is implemented by addressing the Active
Directory as a source of information for available Autodiscover Endpoints (available
Exchange servers).

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 2 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

The available Autodiscover methods

Generally speaking, there are two main Autodiscover methods:
1. Autodiscover in Active Directory environment
2. Autodiscover methods in a non-Active Directory environment
In case that the user desktop in which the Outlook client is installed configured as a
domain member, Outlook will allow start with the Autodiscover process by
addressing in the query the local Active Directory.
In case that there is no option to locate the Active Directory, Outlook client will
move on to the next Autodiscover method (in the next article Autodiscover flow
in an Exchange on-Premises environment | non-Active Directory environment| Part
1#3 | Part 26#36 , we will review in details this method).

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 3 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Creating a New Outlook mail profile in a domain environment

One of the most prominent features of the Autodiscover process in the On-Premise
Active Directory environment is, that we can describe this process as fully
automated.
In a scenario in which the user desktop configured as a domain member, the only
requirement from the user who needs to create a new Outlook mail profile is just
to open Outlook.
After a very short time, all the required settings will be automatically delivered to
the Outlook client and the user can access his mailbox and start reading his E-mail
and so on.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 4 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

The only question is how does this magic happened?

The answer is that the Autodiscover was designed to simplify the process of getting
the required information (configuration settings) from the Autodiscover Endpoint
and this process is getting more simplified in an On-Premise Active Directory
environment.
In a non-Active Directory environment, when the user needs to create a new
Outlook mail profile, the user is required to provide the following details.
1. User E-mail address
2. User credentials
In Active Directory environment, the user doesnt need to provide any details
because, in a domain environment, the process is based on the user cache
credentials.
1. Credentials (Username + Password)In an Active Directory environment,
because the user has already provided his credentials when he login to
the domain, these credentials are automatically sent to the Exchange OnPremise server. (The technical term is cache credentials or Access token)

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 5 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

2. Provide the user email address

In a scenario in which the user is the log into the organization domain, the
user email address is automatically pulled or extract from the OnPremise Active Directory user account. In other words: the user who
creates the new Outlook mail profile doesnt need to provide his E-mail
address.
3. Get the required configuration information from the Exchange server
The process in which Outlook gets the configuration information that are
needed for creating the new Outlook mail profile is also happened
automatically.
Outlook query the local Active Directory and ask a list of Exchange CAS server\s.
After getting the name\s of existing Exchange server\s, Outlook will try to connect
one Exchange server from the list.
As mentioned the part in which the user will need to provide his E-mail and user
credential of the Exchange server is implemented automatically.
After the Exchange server to verify the user identity and the Outlook verifies the
Exchange servers identity, Exchange sends to the Outlook client the required
configuration setting using the Autodiscover.xml file.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 6 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

On-Premise Active Directory as a source for

information
One of the most noticeable advantages of the Active Directory is that the Active
Directory serves as a bulletin board for her client.
Servers who provide a specific service, can register themselves in the Active
Directory and by doing so, use the Active Directory as a board for the information.
Active Directory clients can address the Active Directory (using LDAP query) and ask
for information about a specific service, who is the host who provides the service,
etc.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 7 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

In our scenario, the Exchange CAS server registers himself in the Active Directory as
entity that can provide Autodiscover service.
The On-Premise Active Directory allocates a dedicated location (part of the OnPremise Active Directory system partition) for this purpose, by using a folder
named- SCP (Service Connection Point).
In the following diagram, we can see an example of this process.
Each time that a new Exchange On-Premise is installed, the Exchange On-Premise
accesses the Active Directory and, report about himself

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 8 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

The term Autodiscover client, can be translated to an Autodiscover client such as

Outlook that needs to find Autodiscover Endpoint for creating a new Outlook mail
profile and for other purposes, but at the same time, the Autodiscover client can
be other Exchange server.
For example, a scenario in which Exchange server from Active Directory Site A need
to get information that is represented by an Exchange CAS server in Active
Directory Site B.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 9 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Physical location of the SCP (Service Connection Point)

To be able to find the physical path of the SCP, we can use the Site and Service
tools that installed on each of the DC servers.
After you have enabled the View Services Node option from the View tab, we can
see the physical path of the On-Premise Active Directory configuration partition.
The SCP object can be found in AD at the following path:
CN=exchangeserver,CN=Autodiscover,CN=Protocols,CN=exchangeserver,CN=Servers,CN=
Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=org
name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 10 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Each of the Exchange CAS servers has the Autodiscover folder and the
Autodiscover folder serves as a container for the Autodiscover Endpoint object (a
specific Exchange CAS server).
To be able to see the property of a specific Autodiscover Endpoint (in our example
ex01), we can right click on the Exchange CAS server name and choose the
menu properties.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 11 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

The property named ServiceBindingInformation

The property named Keywords, contain the Active Directory site name of a specific
Exchange CAS server.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 12 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Creating a new Outlook mail profile | The process

behind the magic!
In the following section, we will analyze the process of Autodiscover in an Active
Directory environment.
Because of the Autodiscover method that is implemented in an Active Directory
environment, the task of creating a new Outlook mail profile is a very simple
task that can be implemented by any user in a matter of seconds.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 13 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

The real magic is that behind the scenes, the simple task is translated too
complex and smart infrastructure that helps to make this process to appear as
simple and easy.

Task description
An organization user, get a new desktop, the user double-click on the Outlook icon
and after a couple of seconds, Outlook profile was successfully completed and the
user can see his mail, send and receive mail and so on.
In the following section, we will review what was the sequence of events, which led
to the above result
Phase 1 query the local Active Directory
The communication between the Autodiscover client and the Active Directory is
implemented by using the LDAP protocol.
Step 1 Client query the local Active Directory

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 14 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

The Autodiscover client (Outlook) creates an LDAP query and addresses the local
Active Directory, asking for a list of URL address of existing Autodiscover Endpoint.
In other words list of available Exchange CAS server\s
Step 2 Active Directory look at the SCP partition, looking for a value of an attribute
named ServiceBindingInformation
The Active Directory SCP contains a different or a
dedicated ServiceBindingInformation
The Exchange CAS server Autodiscover URL, is implemented by using the following
format:
https://cas_server.domain/Autodiscover/Autodiscover.xml
The Exchange CAS server name, is the internal Exchange server name (FQDN -Fully
Qualified Domain Name)
In our example, the internal FQDN of the Exchange CAS server who was registered
at the Active Directory SCP is ex01.0365info.com and the Autodiscover URL will be:
https://ex01.0365info.com/autodiscover/autodiscover.xml
Additional information that the Active Directory returns to the Autodiscover client
described as Keywords
The Keywords contain information about the Exchange CAS server Active
Directory site name.
(The Active Directory site name in which the Exchange CAS server resides).
When the Autodiscover client (Outlook) gets the list from the Active Directory, the
Autodiscover client will prefer to address the Exchange CAS server, that has the
same Active Directory site value, as the Active Directory site to which the
Autodiscover client belongs also.
This method in which the Autodiscover client prefers to contact a specific Exchange
CAS server over other Exchange CAS servers described as Site Affinity

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 15 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Phase 2 query the local DNS server

Step 3 The Autodiscover client will need to get the internal IP address of the
Exchange CAS server. The Autodiscover client connects the internal DNS server. In
our example, look for the IP address of the host named ex01.o365info.lcoal
Step 4 The DNS server reply (answer) to the DNS query and send the internal IP
address of the specified host name (192.168.1.10 in our example).

Phase 3 Mutual verification process

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 16 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

In this phase, the client (Outlook) and the server (the Exchange CAS server) will
need to identify each other.
Step 5 Outlook asks for the Exchange CAS server to prove his identity by
providing a certificate.
Step 6 The Exchange CAS server, send his certificate to the client and the client
verifies the Exchange CAS server certificate.
Note If you want to read more detailed information about the Autodiscover
process, certificate and secure communication link, read the article Autodiscover
process and Exchange security infrastructure | Part 20#36
Step 7 In case that the Exchange certificate is OK, the client sends his identity
(user credentials) to the Exchange CAS server.
Step 8 In case that the user credentials are correct, the process of mutual
authentication and identification is completed.

Phase 4 communicate the Exchange CAS server using RPC or HTTP/S

Step 9 the mail client (Outlook) asks from the Autodiscover Endpoint (Exchange
CAS server) for the Autodiscover information (the Autodiscover.xml file)

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 17 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Step 10 The Exchange server generate the configuration file based on the
Outlook version software and save it to a file named Autodiscover.xml

Step 11 Outlook client gets the configuration file and create a new Outlook mail
profile that includes all the required configuration settings.

Autodiscover in the Active Directory environment a

diagram representation
Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 18 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

In the following diagram, we can see a representation of the decision-making

table of the client that relates to the Autodiscover process.
We will not go into all the details in the diagram, but instead, I will just recap and
emphasize some part of the Autodiscover process in an Active Directory
environment.

Step 1 the Autodiscover method is fully dependent on the information that

supposed to be registered in the SCP partition in the Active Directory.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 19 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

In other words, the Active Directory is the information source authority for
providing the Autodiscover client information about available Autodiscover
Endpoints.
Step 2 in case that the Exchange organization includes more than one Exchange
CAS server, the answer that will the Autodiscover client gets to include a list of
optional Autodiscover Endpoints.
The Autodiscover client will need to implement some method for choosing the
most appropriate Autodiscover Endpoint for him.
This method described as site affinity. The Autodiscover client will prefer
Autodiscover Endpoint that is located in the same Active Directory as he.
Note the term located at the same Active Directory site as he is not accurate
because, in some scenarios, we can register a specific Exchange CAS server as an
Exchange server the belong to a specific Active Directory while the Exchange CAS
server physical location is at the Active Directory site.
Step 3 and step 4.1 in case that the Autodiscover client gets a list of available
Autodiscover Endpoint, the client will try to communicate the first Autodiscover
Endpoint and if the Autodiscover Endpoint is not an available, move to the next
Autodiscover Endpoint in the list and so on.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 20 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

Step 5.1, 5.2, 5.3 and step 6, are steps that need to be successfully completed
before starting the phase in which the Autodiscover Endpoint provides the desired
information to his Autodiscover client.

Written by Eyal Doron | o365info.com | Copyright 2012-2015

Page 21 of 21 | Autodiscover flow in Active Directory based environment | Part 15#36

The Autodiscover Endpoint, must be sure that the Autodiscover Endpoint can be
trusted and vice versa the Autodiscover Endpoint must identify the Autodiscover
client.
Step 7 the Autodiscover Endpoint (Exchange CAS server) generates the required
information (Autodiscover response) and sends it to the Autodiscover client
(Outlook).
Step 8 this is the happy end phase in which, the Outlook client take the
information and use it for creating a new Outlook mail profile.

Written by Eyal Doron | o365info.com | Copyright 2012-2015