Wednesday, August 10, 2005

OMA 2003 Logon Process

Here is a very good explaination of the Outlook Mobile Access logon process provided by Tim Hackbart at You Had Me At EHLO...

This post will go into the steps that happen during the OMA 2003 logon process. As I work in Support Services, I get to explain this a lot so I wanted to share it. The general flow goes like this:

 

 

User Information in our example:

Domain Account: Contoso\Administrator

Exchange Alias: Administrator

Proxy Address: SMTP:administrator@contoso.com

 

Step 1.

- The user browses to:

 

     Http://fe.contoso.com/OMA

 

and provides valid domain credentials. In our case “contoso\administrator”

NOTE: It is recommended that you Require SLL on the OMA virtual directory.

 

Step 2.

IIS then authenticates and authorizes the user with a Domain Controller. For more information on IIS Authentication and Authorization, go to www.iiswebcastseries.com

 

Step 3.

- The OMA ASP.NET framework then uses the SID that IIS got

 

<Entering FindUserViaCreds>

 

to find the user and determine the Netbios name of BackEnd server for that user.

 

<m_ExchangeServer=='BE'>

 

Next OMA verifies that OMA is enabled globally and for that specific user.

 

<AdminWirelessEnable='0'>

 

Then OMA determines which SMTP domain we are servicing

 

<Default domain from metabase = 'contoso.com'>

 

OMA then checks to see if there is an Alternate Exchange Virtual Directory set.  If none is set, we default to “Exchange”.

 

<Returning alternate Exchange virtual directory value: ''>

 

OMA will then find the users Alias from the users ProxyAddresses that match the SMTP domain that it is serving.

 

<proxy='SMTP:Administrator@contoso.com'>

 

Then the most crucial step, OMA builds the HTTP URL that it will use to access the users mailbox on their backend server.  OMA will use the data it has collected to build the URL in the following manner

 

http://ExchangeServer/ExchangeVirtual directory/Alias

 

in our case

 

<m_baseFolder.URL='http://BE/Exchange/Administrator/'>

 

This exact http URL is then sent to the users BackEnd Server

 

Step 4.

OMA sends the URL built to the BE server, in our case http://BE/Exchange/Administrator/

 

Step 5.

The URL sent by OMA “http://BE/Exchange/Administrator/” is then picked up by Davex.dll as an EXPLICIT OWA request. See KB812220 for more info.

 

NOTES:

OMA will FAIL if SSL is REQUIRED on the exchange virtual directories it tries to access, with our without FBA enabled.

 

OMA will work with Forms Based Authentication as OMA does NOT need Integrated Authentication/Kerberos.

 

If the Exchange Virtual directory is set to require SSL then you must create an Alternate Exchange Virtual directory for OMA to use and NOT require SSL on that Virtual directory. See KB817379 for more on that!

 

No comments: