4

I have a Skype for Business account call art@shockw4ves.onmicrosoft.com and I'm trying to get authorization.

  1. My first request to lyncdiscover service
GET https://lyncdiscover.shockw4ves.onmicrosoft.com/

Answer:

{
  "_links": {
    "self": {
      "href": "https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=shockw4ves.onmicrosoft.com"
    },
    "user": {
      "href": "https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=shockw4ves.onmicrosoft.com"
    },
    "xframe": {
      "href": "https://webdir1e.online.lync.com/Autodiscover/XFrame/XFrame.html"
    }
  }
}
  1. Then i take a user link and do next request
GET https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=shockw4ves.onmicrosoft.com

Answer: 401 Unauthorized

Cache-Control → no-cache
Content-Length → 1293
Content-Type → text/html
Date → Wed, 30 Sep 2015 11:16:37 GMT
WWW-Authenticate → 
    Bearer trusted_issuers="00000001-0000-0000-c000-000000000000@*", 
    client_id="00000004-0000-0ff1-ce00-000000000000", 
    authorization_uri="https://login.windows.net/common/oauth2/authorize", 
    MsRtcOAuth 
    href="https://webdir1e.online.lync.com/WebTicket/oauthtoken",
    grant_type="urn:microsoft.rtc:passive,urn:microsoft.rtc:anonmeeting"
X-Content-Type-Options → nosniff
X-MS-Correlation-Id → 2147499790
X-MS-Server-Fqdn → AMS1E01EDG08.infra.lync.com
client-request-id → ea4f5098-732f-4feb-ae34-cf6ff7fc1a73
  1. This response contains my credentials data. I take authorization uri and do my next request
POST https://login.windows.net/common/oauth2/authorize

body of x-www-form-urlencoded:

grant_type=password
username=art@shockw4ves.onmicrosoft.com
password=xxxxxxxxxx
client_id=00000004-0000-0ff1-ce00-000000000000

Answer:

<html>
    <head>
        <title>Continue</title>
    </head>
    <body>
        <form method="POST" name="hiddenform" action="https://login.microsoftonline.com/common/oauth2/authorize">
            <input type="hidden" name="grant_type" value="password" />
            <input type="hidden" name="username" value="art@shockw4ves.onmicrosoft.com" />
            <input type="hidden" name="password" value="xxxxxxxxx" />
            <input type="hidden" name="client_id" value="00000004-0000-0ff1-ce00-000000000000" />
            <noscript>
                <p>Script is disabled. Click Submit to continue</p>
                <input type="submit" value="Submit" />
            </noscript>
        </form>
        <script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
    </body>
</html>
  1. Copy this html form and run in browser. Its redirect to https://login.microsoftonline.com/common/oauth2/authorize and open page with error text:
Sign In
Sorry, but we’re having trouble signing you in.
We received a bad request.

Additional technical information:
Correlation ID: 0669eee8-0dc5-4aa1-a94d-41e5bbc2f25d
Timestamp: 2015-09-30 14:06:30Z
AADSTS50011: No reply address is registered for the application.

What i do wrong? Also i test with: 

grant_type=password 
grant_type="urn:microsoft.rtc:passive,urn:microsoft.rtc:anonmeeting"  
grant_type="urn:microsoft.rtc:windows,urn:microsoft.rtc:anonmeeting,password"

What is error No reply address is registered for the application ?

BastianW
  • 2,628
  • 7
  • 29
  • 38
artem testerov
  • 181
  • 1
  • 9

1 Answers1

2

There are a few problems. The second step's 401 response contains a WWW-Authenticate header with grant_type="urn:microsoft.rtc:passive,urn:microsoft.rtc:anonmeeting" which means authentication is only allowed via passive or anonmeeting. In step 3 the request is trying to use an unsupported grant type, password.

The account in question looks/feels like it is associated with Office365/Lync Online which means there isn't any current support for UCWA. Even if this was supported you would need to be looking at how to authenticate using passive authentication, Authentication in UCWA, which is not well documented right now.

ShelbyZ
  • 1,494
  • 1
  • 14
  • 32
  • Great thank`s you Shelby for answer! Ok I'll try to do this through passive authentication. Do I need to configure Azure settings for this? – artem testerov Oct 01 '15 at 18:11
  • I receive error `The user is not signed in with WS Federation Passive credentials.`. What credentials other than grant_type, username, password? – artem testerov Oct 01 '15 at 18:17
  • What about other servers other than the https://webdir1e.online.lync.com? For example https://webdir.nnylync.info/ in this post http://blogs.technet.com/b/poptart/archive/2015/02/09/ucwa-signin-fails-while-seeing-http-options-request.aspx – artem testerov Oct 01 '15 at 18:30
  • You would need create an application entry for Azure AD on associated with https://login.windows.net/common/oauth2/authorize and have the redirect uri pointed at the local web application. That web application should pull out the data and make another passive authentication request to the original step. Most likely it will be a cookie or token that gets added. – ShelbyZ Oct 01 '15 at 18:34
  • so i create new application with new client_id and can get answer with responce_type set to `code` or `token` (Bearer). But if use passive request, what is credentials set to request? Sertificates, like Saml token in xml files? – artem testerov Oct 01 '15 at 22:24
  • I haven't had much luck with testing as i don't have the environment, but you might try adding an authorization header to the passive auth request. I may have to look and see if there is any reasonable information out there on the next step. – ShelbyZ Oct 02 '15 at 02:23
  • After login in ADFS im have a cookies is `RPSAuth` and `RPSSecAuth` on domain `lync.com`. But I still do not have a token. What to do next? – artem testerov Oct 04 '15 at 19:53