authenticating to a endpoint and policy discovery service

Here we see lync working the infrastructure to learn how to talk to its server endpoings, given a name in the identity namespace.


Above, we see in the sessions the process of failing to find one or other discovery endpoint, and then failing to respond to the challenge (of each found endpoint). Eventually, at 1, an encrypted token is sent to the webticket STS built into the tenant’s lynx pod. I’m not sure what is in that blob that though it seems likely that its source is the sign-in assistant’s token cache. At two, we see the webticket issue in exchange for the “bearer” assertion sent in its encrypted data wrapper. The response is a saml assertion for a sip: name-form URI, issued.

At three, when now attempting once again to authenticated to a discovery endpoint, we see the ticket used in a non-SOAP service – presented in a header. at 4 we see that what is sent in the header is essentially what the STS minted, at 2.

I can feel from various vibes I’m getting close to areas that are sensitive, between Microsoft and NSA. Im getting fearful response – folks being afeared to respond on simple technical topics that is, lest the hammer come down on them. The first stage of tyranny is shown up when those who previously thought of themselves as saving freedom ( by willingly joining the secret elite) now feel afeared for their own freedom (as they think they go about continuing to save the freedom of others).

anyways, we see the SIP voice-services centric id process continuing, to get a cert provisioned. Lets look carefully:-


We see a call to a cert provisioning service, invoking a get and public cert action, noting the entity AND THE DEVICE. Within is an RST, note, whose own token is a PKCS message. The result, show top left, is an embedded RSR – another PKCS message. (we can guess there are PKCS#10 and PKCS#7). Lets check by decoding the ASN.1 blobs. The request is clearly ASN.1, and as declared the response is an X.509 ASN.1 stream:


Clearly its short-lived cert – 12h. Is it used in the setup of tunnel over which the RTP packets – bearing the codec-ed voice samples – are sent?

Is this the process the Russians have admitted having “special service” access to?


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in office365, spying. Bookmark the permalink.