none
[MS-OXCSTOR] 2.2.1.1.1 - RopLogon input buffer question RRS feed

  • Question

  • I recently got a bug report from a customer using our man-in-the-middle Exchange RPC monitoring product.

    The issue turned out to be that I save the ESSDN from the RopLogon request, and when processing subsequent RPC requests use that essdn in an LDAP search like "ldapExchangeDN=<essdn>" to find the mailbox owner account.  This search fails for the customer in question because the ESSDN passed in the RopLogon request is actually the X500 emailAddresses AD attribute value  for the account, and NOT the legacyExchangeDN attribute. They have different CNs for the X500 email address and the legacyExchangeDN, which exposed the problem.

    MS-OXCSTOR currently says (or at least implies) that this is the legacyExchangeDN by using the phrase "... using the legacy distinguished name (DN) attribute that is obtained by using the Autodiscover Publishing and Lookup Protocol".  I'm not familiar with that protocol and its explanation of legacyDN seems similarly ambiguous to me, but the Outlook client in this case was definitely not passing the AD legacyExchangeDN value.

    Some further explanation of acceptable ESSDN format would be helpful in the RopLogon spec. What I need to know at this time is, does RopLogon allow ONLY an AD X500 email address, or does it allow EITHER the X500 address or the legacyExchangeDN?

    Thanks,

    John Lowery

    Tuesday, February 14, 2012 7:08 PM

Answers

  • Hi John,

    Thank you for bringing this to our attention. In MS-OXCROPS 2.2.3.1.1 RopLogon ROP Request Buffer (v20120122) there is a reference to MS-OXCSTOR where Essdn discussed further, but still may not be adequate. The behavior that you observed is documented in MS-OXLDAP 2.2.3.2 Exchange Distinguished Name, and 2.2.3.4 Proxy Addresses.
    I filed a request with the documentation team to add references to the documents.
     
    Thanks, Vilmos

    Friday, March 2, 2012 8:18 PM

All replies

  • John,

    Thank you for your question regarding MS-OXCSTOR RopLogon. One of our engineers will follow up with you soon.

    Thanks,

    Edgar

    Tuesday, February 14, 2012 7:56 PM
    Moderator
  • Thank you for the reply.

    One correction, the ESSDN in the RopLogon request was the X500 value of the AD multi-valued "proxyAddresses" attribute. The "EmailAddresses" name is how the powershell "Get-Mailbox <user-id> | fl" command shows it.

    Further investigation here indicates that IF an X500 value is present in the proxyAddresses attribute of the mailbox owner account, then Outlook uses it in the RopLogon request. If not, the legacyExchangeDN attribute value is used.

    Thanks again,

    John Lowery

    Tuesday, February 14, 2012 10:04 PM
  • Hi John Lowery,

    I am the engineer who will be working with you on this issue. I am currently researching the problem and will provide you with an update soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Wednesday, February 15, 2012 5:43 PM
  • Hi, Vilmos

    I was able to verify using a debugger in the lab that, when they're different, replacing the legacyExchangeDN value with the X500 proxyAddresses value for the ESSDN in a RopLogon request is accepted by Exchange Server.  

    Thanks,

    John

    Thursday, February 16, 2012 2:24 PM
  • Hi, Vilmos

    I haven't seen any recent activity on this, but have resolved our problem as described in my last reply.

    May I make a suggestion? A note in the MS-OXCSTOR and possibly MS-OXCRPC Product Behavior Appendices that describes how the Exchange RopLogon implementations process the ESSDN parameter (legacyExchangeDN, proxyAddresses values with X500 prefixes, etc.) would have been useful to me and might be useful to others.

    Thanks,

    John

    Wednesday, February 29, 2012 5:25 PM
  • Hi John,

    Thank you for bringing this to our attention. In MS-OXCROPS 2.2.3.1.1 RopLogon ROP Request Buffer (v20120122) there is a reference to MS-OXCSTOR where Essdn discussed further, but still may not be adequate. The behavior that you observed is documented in MS-OXLDAP 2.2.3.2 Exchange Distinguished Name, and 2.2.3.4 Proxy Addresses.
    I filed a request with the documentation team to add references to the documents.
     
    Thanks, Vilmos

    Friday, March 2, 2012 8:18 PM