Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Once a request to a web application has been identified as unauthenticated, the proxy MUST initiate pre-authentication. To do this the proxy MUST identify whether the request is from a Microsoft Office application that relies on the Office Forms Based Authentication (OFBA) Protocol [MS-OFBA].
To identify requests from Microsoft Office clients to application services relying on the OFBA protocol, the proxy MUST check if the request is an HTTP OPTIONS with a particular value on the User-Agent HTTP header or with a particular value on the X-Forms_Based_Auth_Accepted HTTP header (any of them):
Header |
Value |
---|---|
User-Agent |
Any of the following: "Microsoft Data Access Internet Publishing Provider" "Microsoft-WebDAV-MiniRedir" "non-browser" "MSOffice ##" where ## is an integer number "MSOffice XXXX ##" where XXXX is a value of "Word", "Excel", "PowerPoint" and "OneNote" and ## is an integer number "Mozilla/4.0 (compatible; MS FrontPage)" "Microsoft Office Protocol Discovery" |
X-Forms_Based_Auth_Accepted |
Any of the following: "t" |
If the request is from a Microsoft Office client relying on the OFBA protocol, the server MUST return an HTTP error code of 403 to the client with the following headers:
Header |
Value |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
X-Forms_Based_Auth_Required |
URL for the sign-in request:
|
||||||||||||
X-Forms_Based_Auth_Return_Url |
URL of incoming request. |
For requests from non-Microsoft-Office clients accessing services that implement the OFBA protocol [MS-OFBA] that rely on AD FS for authentication, the proxy MUST return an HTTP error code of 401 Unauthorized with the following header.
Header |
Value |
---|---|
WWW-Authenticate |
"Bearer authorization_uri=https://" + [Client State].Configuration.ServiceConfiguration.ServiceHostName + ":" + [Client State].Configuration.ServiceConfiguration.HttpsPort + "/adfs/oauth2/authorize" |