3.11.5 Message Processing Events and Sequencing Rules
The client SHOULD listen for HTTP requests based on the server characteristics in [Client State].Configuration.
For each object, CurrentEndpointConfiguration in [Client State].Configuration.EndpointConfiguration, the client SHOULD do the following:
Listen for HTTP requests whose URLs conform to the following rules:
HostName of the URL is one of the following:
[Client State].Configuration.ServiceConfiguration.ServiceHostName
[Client State].Configuration.ServiceConfiguration.ServiceHostNameForUserTlsAuth
"EnterpriseRegistration.<PossibleUpnSuffix>" where <PossibleUpnSuffix> is one of either [Client State].Configuration.ServiceConfiguration.DiscoveredUpnSuffixes or [Client State].Configuration.ServiceConfiguration.CustomUpnSuffixes.
If CurrentEndpointConfiguration.PortType is 0 ("HttpPort"), the port component of the URL is [ServiceConfiguration.HttpPort].
If CurrentEndpointConfiguration.PortType is 1 ("HttpsPort"), the port component of the URL is [ServiceConfiguration.HttpsPort].
If CurrentEndpointConfiguration.PortType is 2 ("HttpsPortForUserTlsAuth"), the port component of the URL is [ServiceConfiguration.HttpsPortForUserTlsAuth].
The Path component of the URL is a subpath of [CurrentEndpointConfiguration.Path].
If CurrentEndpointConfiguration.ClientCertificateQueryMode is 1 ("QueryAndAccept") and the request does not have a public key authentication header or user agent indicator ([MS-PKAP] section 3.1.5.1.1), then the client SHOULD attempt to retrieve end-user X509 certificate [RFC4158] using client TLS authentication [RFC2246]. If it obtains a certificate the client MUST follow processing in section 3.11.5.1.
If CurrentEndpointConfiguration.ClientCertificateQueryMode is 2 ("QueryAndRequire"), then the client SHOULD attempt to retrieve end-user X509 certificate [RFC4158] using client TLS authentication [RFC2246]. If it obtains a certificate, the client MUST follow the processing in section 3.11.5.1.
If CurrentEndpointConfiguration.SupportsNtlm is true, the client SHOULD ensure that SPNEGO-based authentication requests [RFC4559] with the "Negotiate" auth-scheme are converted to NTLM.
If the configuration field IgnoreTokenBinding is not set to True (section 2.2.2.4), the configuration field UpdatedFarmBehaviorLevel is greater than or equal to AD_FS_BEHAVIOR_LEVEL_4 ([MS-OAPX] section 3.2.1.1), and the end-user request contains token binding information in the form of the Sec-Token-Binding header defined in [IETFDRAFT-TOKBIND-H] section 2, the client SHOULD construct a signed header using the structure defined in section 2.2.1.6, which is a serialized JWT. The client then performs the following steps:
Token binding information on the request is parsed into the provided_token_binding and referred_token_binding structures, as defined in [IETFDRAFT-TOKBIND-H] section 2 and [IETFDRAFT-TOKBINDPROT] section 3.1.
The provided_token_binding information is included as a claim in the JWT, with claim name "Sec-Provided-Token-Binding-ID".
The referred_token_binding information is included as a claim in the JWT, with claim name "Sec-Referred-Token-Binding-ID".
If no certificate was obtained in step 2, or if a certificate was obtained in steps 2 or 3, but the section 3.11.5.1 validation fails when the CurrentEndpointConfiguration.CertificateValidation value is 2 ("IssuedByDrs"), then the client SHOULD replay the request as follows:
The request SHOULD be made to the following URL:
If CurrentEndpointConfiguration.ServicePortType is 0, then form the URL as "http://[ServiceConfiguration.ServiceHostName]:[ServiceConfiguration.HttpPort]/[ CurrentEndpointConfiguration.ServicePath]".
If CurrentEndpointConfiguration.ServicePortType is 1, then form the URL as "https://[ServiceConfiguration.ServiceHostName]:[ServiceConfiguration.HttpsPort]/[ CurrentEndpointConfiguration.ServicePath]".
If CurrentEndpointConfiguration.ServicePortType is 2, then form the URL as "https://[ServiceConfiguration.ServiceHostName]:[ServiceConfiguration.HttpsPortForUserTlsAuth]/[CurrentEndpointConfiguration.ServicePath]".
The client SHOULD add the headers in section 2.2.1 to the request.
If no certificate was obtained in step 3, then the client SHOULD<12> perform the following steps:
The client constructs a request as in section 3.10.5.1 with [Serialized Request with Certificate] set to following values:
[Serialized Request with Certificate].ErrorType MUST be set to 1 (“Certificate”).
[Serialized Request with Certificate].ErrorCode MUST be set to 1168.
The client then performs the common processing defined in section 3.11.5.2.