1

I'm trying to use MS-OFBA to authenticate Word and Excel documents before editing them on a web server (.Net-Core) that they're hosted on. However, after authenticating with MS-OFBA and receiving the authentication cookie Word doesn't send the cookie in subsequent OPTIONS requests (it does send it in some other requests so I can tell that it has received the cookie). As such, the web server has no way of telling whether word is authenticated or not and it gets stuck in a loop of asking word for credentials.

The MS-OCPROTO specification says this is expected behavior in one section (2.1.2.1.2.2) and then contradicts itself and says OPTIONS requests do send cookies in another (3.1). Given that I'm not receiving cookies I assume that section 2.1.2.1.2.2 is the correct section. If that's the case then how is it ever possible to authenticate word using MS-OFBA (which is specifically made for authenticating office)?

Has anyone ever used MS-OFBA to authenticate word before and if so how did you detect if word was authenticated when it doesn't send cookies on OPTIONS requests? Is there a way of using MS-OFBA so that word sends authentication outside cookies?

I'm super stuck on this so I'd be incredibly grateful for any help or pointers in the right direction

rorywsmith
  • 13
  • 3

2 Answers2

1

I can confirm that once authenticated with MS-OFBA, all of the WebDAV related requests coming from Microsoft Office clients include authentication cookies.

Make sure you are following the MS-OFBA protocol to the letter, including the expected HTTP response codes.

https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-ofba/c2c4baef-c611-4e7b-9a4c-d009e678e3d2

According to this document, all requests after this response should have the cookie - note that the response code must be 302 and the redirect location must match X-FORMS_BASED_AUTH_RETURN_URL exactly.

 S: HTTP/1.1 302 Object Moved
 Location: https://www.contoso.com/OnSuccess.aspx
 Set-Cookie: Authentication=<server-determined hash of the user’s identity>
Jan Martin
  • 408
  • 3
  • 11
  • Sorry for the late replay but thanks for the response. I can't remember where exactly I'd messed up but essentially I wasn't exactly following MS-OFBA as you said – rorywsmith Apr 14 '21 at 02:47
-1

OPTIONS request should be processed without authentication, possibly this is the reason why cookies are not attached. please see the explanation about OPTIONS here: OPTIONS request authentication

IT Hit WebDAV Server Engine supports adding MS-OFBA to .NET Core projects with both 'Individual User Accounts' and 'Work or School Accounts' options since v11+. Please see how to add MS-OFBA here: https://www.webdavsystem.com/server/documentation/choosing_authentication/azure-ad-auth/

IT Hit WebDAV
  • 5,652
  • 12
  • 61
  • 98