3.1 IDiscoveryService Server Details

This section describes the first and second phases in MDE2 device enrollment: resolving the Discovery Service (DS) and discovering the ES. The following diagram highlights these two phases.

Figure 8: MDE2 device enrollment: resolving the DS and discovering the ES

The IDiscoveryService in MDE2 hosts an endpoint to receive messages from the enrollment client. When a Discover request message (section 3.1.4.1.1.1) is received from the client, the server processes the request and returns a DiscoverResponse message (section 3.1.4.1.1.2) to the client. The response identifies the endpoints to be used by the client to obtain the security tokens and enroll via the ES. After the response message is sent to the client, the server returns to the waiting state.

The following diagram shows the role of the server in resolving the Discovery Service (DS) for the enrollment client.

Figure 9: Role of server in resolving the DS

As a prerequisite for enabling the enrollment client to discover the Discovery Service (DS), the administrator MUST configure the DNS, such that the name "EnterpriseEnrollment.[User's Domain]" resolves to the Discovery Service (DS). The enrollment client extracts the domain suffix from the email address of the enrolling user and prepends it with the DNS to construct the address for the DS. For example, if the email address for the user is "user1@contoso.com", the enrollment client extracts the domain suffix "contoso.com" and prepends it with the DNS to construct the DS address "EnterpriseEnrollment.contoso.com".

In the example, the full URL sent by the client to the DS is "https://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc".

The path portion of the URL "/EnrollmentServer/Discovery.svc" is always constant.

The enrollment client validates the Secure Sockets Layer (SSL) certificate that is protecting the DS endpoint, along with any intermediary certificates that are signed by a trusted CA.