1.5 Prerequisites/Preconditions

  • Article

This protocol facilitates the issuance of X.509 v3 certificates (2). A server implementation of the protocol requires the functionality of a certification authority (CA), capable of interpreting requests in PKCS#10, as described in [RFC2986], and generating the appropriate certificate (2).

Protocol clients are required to be able to understand PKCS#7 format, as described in [RFC2315] and [RFC5652], and X.509 v3 certificate (2) format, as described in [RFC5280], which are used by the server to send the certificate chain and the certificate (2).

A protocol client needs to retrieve the Web Ticket Service URL before using this protocol. The two ways for the client to do so are shown in the figures in section 1.3.1.1. If the client retrieves it from a Web service, the URL ought to be read from the metadata document of a participating Web service, from the wsp:Policy/sp:IssuedToken/sp:Issuer/wsa10:Address element associated with the service's binding that accepts a Web ticket, as described in [WSSP1.2-2012] and [WS-MetaDataExchange]. If the client retrieves it from a non-Web service, the Web application is required to return it in a 401 response in an HTTP header extension named X-MS-WebTicketURL, as described in [MS-OCDISCWS].

In order to use the Authentication Broker Service, a protocol client needs to retrieve the Internal/External AuthBroker Service URL, which is included as part of the User type in the response of the Lync Autodiscover Web Service [MS-OCDISCWS]. The section below shows a sample response.

<AutodiscoverResponse AccessLocation="Internal" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <User>

    <Link token="Internal/Autodiscover" href="https://pool1.contoso.com/Autodiscover/AutodiscoverService.svc/root"/>

    <Link token="Internal/AuthBroker" href="https://pool1.contoso.com/Reach/sip.svc"/>

    <Link token="Internal/Ucwa" href="https://pool1.contoso.com/Ucwa/discovery"/>

    <Link token="External/Autodiscover" href="https://pool1external.contoso.com/Autodiscover/AutodiscoverService.svc/root"/>

    <Link token="External/AuthBroker" href="https://pool1external.contoso.com/Reach/sip.svc"/>

    <Link token="External/Ucwa" href="https://pool1external.contoso.com/Ucwa/discovery"/>

    <Link token="Internal/Mcx" href="https://pool1.contoso.com/Mcx/McxService.svc"/>

    <Link token="External/Mcx" href="https://pool1external.contoso.com/Mcx/McxService.svc"/>

  </User>

</AutodiscoverResponse>