Share via


3.13.5.2.2 Response to [MS-OFBA] Requests

Once a request to a web application has been identified as unauthenticated, the proxy MUST initiate pre-authentication. To do this the proxy MUST identify whether the request is from a Microsoft Office application that relies on the Office Forms Based Authentication (OFBA) Protocol [MS-OFBA].

To identify requests from Microsoft Office clients to application services relying on the OFBA protocol, the proxy MUST check if the request is an HTTP OPTIONS with a particular value on the User-Agent HTTP header or with a particular value on the X-Forms_Based_Auth_Accepted HTTP header (any of them):

Header

Value

User-Agent

Any of the following:

"Microsoft Data Access Internet Publishing Provider"

"Microsoft-WebDAV-MiniRedir"

"non-browser"

"MSOffice ##" where ## is an integer number

"MSOffice XXXX ##" where XXXX is a value of "Word", "Excel", "PowerPoint" and "OneNote" and ## is an integer number

"Mozilla/4.0 (compatible; MS FrontPage)"

"Microsoft Office Protocol Discovery"

X-Forms_Based_Auth_Accepted

Any of the following:

"t"

If the request is from a Microsoft Office client relying on the OFBA protocol, the server MUST return an HTTP error code of 403 to the client with the following headers:

Header

Value

X-Forms_Based_Auth_Required

URL for the sign-in request:

Parameter

Value

version

Version of the protocol. It MUST be "1.0".

action

Action on authentication request. It MUST be "signin".

realm

Identifier for the Proxy Relying Party Trust. It MUST be [Client State].ProxyRelyingPartyTrustIdentifier (section 3.1.1.2).

apprealm

objectIdentifier of the application being accessed (section 2.2.2.6).

returnurl

URL of the incoming request.

X-Forms_Based_Auth_Return_Url

URL of incoming request.

For requests from non-Microsoft-Office clients accessing services that implement the OFBA protocol [MS-OFBA] that rely on AD FS for authentication, the proxy MUST return an HTTP error code of 401  Unauthorized with the following header.

Header

Value

WWW-Authenticate

"Bearer authorization_uri=https://" + [Client State].Configuration.ServiceConfiguration.ServiceHostName + ":" + [Client State].Configuration.ServiceConfiguration.HttpsPort + "/adfs/oauth2/authorize"