Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2017 > April
2017

This is to understand how the Web Agent connects to the Policy Server.

 

Following test environment is setup.

 

SMPS1

hostname: smps1.shared.lab

Version: R12.6 SP2

 

SMPS2

hostname: smps2.shared.lab

Version: R12.6 SP2

 

WA1

Web Server: IIS

Version: R12.52SP1CR6

SmHost.conf: policyserver=smps2.shared.lab

HCO: hco.smps1 (Only has smps1.shared.lab)

 

Use Case: Normal Web Server startup

Wireshark was run on WA1 machine.

Start up IIS and open a browser to access wa1.shared.lab

Once the IIS page fully loaded, stop capturing wireshark.

 

 

I will explain about the Agent Connectivity in 3 parts.

 

Part1: Bootstrap

This is where the Web Agent reads SmHost.conf and until it downloads HCO.

 

Part2: HCO

This is where Web Agent contacts Policy Servers listed in HCO and download ACO.

 

 

 

 

When you look at the packet trace, it has lots of entries which are not relevant.

Also, the time does not look meaningful(at least for this use case).

The IP Address also maybe better if it displayed hostnames so it is much easier to focus on the traffic of interest.

 

You can press CTRL+ALT+1 to change the time display format.

Or, you can goto "View", "Time Display Format" and "Date and Time of Day".

You can see the time now displays the actual date and time.

 

Now moving on to the IP Addresses.

You can see there is "View", "Name Resolution" and by default "Resolve Physical Address" is selected.

 

Unselect the "Resolve Physical Address" and select "Resolve Network Address" only.

 

 

Now you can see the IP addresses are mostly switched to hostnames.

 

If you are not getting the same result, then please check your DNS entries and ensure the Reverse DNS is setup correctly and these machines has their entries.

 

 

 

Now, back at the packet trace, we need to filter the entries that we would like to see.

Following filter helps.

 

ip.src_host == wa1.shared.lab && ip.dst_host == smps1.shared.lab || ip.dst_host == smps2.shared.lab

 

You can use this filter only when the IP is resolved to FQHN.

!!! You must ensure you enter the correct hostname in the filter as they may at times appear in upper case or lower case.

 

This will filter the communication where the client(source) hostname is "wa1.shared.lab" and the server(destination) hostname is either "smps1.shared.lab" or "smps2.shared.lab"

 

You can see here that wa1.shared.lab opens its port 50134 and connects to smps2.shared.lab:44443.

WA1 only knows about smps2.shared.lab from SmHost.conf file.

 

So, when the Web Server initializes, it would load its registered modules and Web Agent is one of them.

 

WebAgent Module will look for WebAgent.conf file.

In case of IIS, it would be in the registry. (w3wp.exe would be doing all these)

In case of other web servers like Apache, it would appear in the web server config file.

For example, in case of Apache, it would have following entry in the httpd.conf file.

 

Once the WebAgent.conf file is read, it would provide information about SmHost.conf file location and the Agent Config Object name.

 

 

Web Agent will load SmHost.conf file to contact the Policy Server.

Web Agent would identify the Policy Server to connect to, to download the Host Config Object.

In this case, it would contact "SMPS2.SHARED.LAB" and port 44443.

It would submit Trusted Host Name "trust_wa1" and also the Shared Secret so Policy Server can identify this Web Agent as trusted.

Web Agent would request for Host Config Object named "hco.smps1".

Once this HCO is downloaded, Web Agent will terminate the connection.

 

!!! You will observe Web Agent promptly resetting connection for bootstrap only.

 

Let's look at the packet trace.

From the filtered list, right click on the first entry where wa1 is contacting smps2.

Then select "Follow" and "TCP Stream"

 

You can close the popup window.

One thing you can see from there in clear-text is the Trusted Host Name "trust_wa1" which was found in the SmHost.conf file.

 

You can see the filter has changed to "tcp.stream eq 11".

The first 3 entries are the TCP handshake.

WA1 opened its tcp port 50134 and established connection to SMPS2 at port 44443.

 

You can then see the WA1 is sending Trusted Host Name to SMPS2.

You will observe this each time Web Agent creates a new connection to Policy Server.

 

We won't be able to decode what is being sent and received but this is where the WA1 is fetching the HCO "hco.smps1".

 

 

This is end of Boot Strap stage.

==================================================

 

Now, go back to the original filter we used.

ip.src_host == wa1.shared.lab && ip.dst_host == smps1.shared.lab || ip.dst_host == smps2.shared.lab

 

You would notice from above that, if you look from after the WA1 have reset the tcp port 50134 to SMPS2 at 44443, Web Agent is now contacting SMPS1.SHARED.LAB.

 

You would also notice that it is opening 2 TCP ports.

 

This is based on the MinSocketsPerPort configuration in the HCO which is set to 2.

This is for the initial connections to the policy servers registered in the HCO.

 

Subsequently, whenever Web Agent creates new additional connections to the Policy Server, it will create x number of connections defined in the NewSocketStep.

 

And Web Agent can create additional connections up to MaxSocketsPerPort.

HCO Sockets Parameters
[1972/2856][Tue Apr 18 2017 23:23:35] hostname='trust_wa1'.
[1972/2856][Tue Apr 18 2017 23:23:35] maxsocketsperport='20'.
[1972/2856][Tue Apr 18 2017 23:23:35] minsocketsperport='2'.
[1972/2856][Tue Apr 18 2017 23:23:35] newsocketstep='2'.
[1972/2856][Tue Apr 18 2017 23:23:35] requesttimeout='60'.

 

As this is a new connection, it will also follow the normal procedure of reading SmHost.conf, sending TrustedHost and SharedSecret.

 

These 2 connections will be used for sending normal HTTP requests Web Agent has intercepted for processing.

This is end of 2nd stage where Web Agent contacts HCO listed Policy Server to establish connection and it is also where it downloads ACO.

 

========================================================

 

But this is not the end.

You will see from wireshark that the above BootStrap connection and HCO connection repeats one more time.

 

It is because the first round (Bootstrap and HCO connection) was performed by the w3wp.exe process.

The second round (Bootstrap and HCO connection) is then performed again as LLAWP.exe gets spawned by the w3wp.exe process.

 

LLAWP.exe process will go through the same exact steps mentioned above.

 

I am attaching sample3.zip file which contains all the relevant data demonstrating the Agent to Policy Server connection.

 

There is also nother tool that would make it very clear who(w3wp.exe or LLAWP.exe) is connecting to the Policy Server.

It is Process Monitor. If your Web Agent is on Windows, I would highly recommend this tool.

It is a very powerful tool for debugging what the process does.

 

As there will be too much data, my advise is to enable only "Network Activity".

Unselect the "Registry Activity", "File System Activity" and "Process and Thread" activity.

Then add following filters.

 

Then let's look at the same sequence from Process Monitor log.

Step1. w3wp.exe connects to smps2.shared.lab:44443 using tcp port 49268 and disconnect.

You can tell that this is from reading SmHost.conf

Step2: w3wp.exe connects to smps1.shared.lab:44443 by creating 2 connections, port 49269 and 49270.

You can tell this is after reading HCO.

You would also notice there is no "TCP Disconnect" for these connections.

And if you look closely, after establishing 2 connections, w3wp.exe uses the first connection(port 49269) to receive(TCP Receive) something a few times. This is because it is downloading ACO.

Then the same thing happens again but this time it is LLAWP.exe process.

Step3: LLAWP.exe connects to smps2.shared.lab:44443 using tcp port 49271 and disconnect.

Step4: LLAWP.exe connects to smps1.shared.lab:44443 by creating 2 connections, port 49269 and 49270.

And again it is using the first port 49272 to download the ACO.

At this point, the LLAWP would have started logging WA.log

 

=====================================================

 

Then, which process(High Level Agent or Low Level Agent) would contact the Policy Server to send IsProtected/IsAuthenticated/IsAuthorized calls?

 

It is the HLA(High Level Agent, w3wp.exe).

 

To prove this, I have disabled Agent Cache so every refresh of browser would send IsProtected calls to Policy Server.

 

You can see numerous conversation between w3wp.exe process to smps1.shared.lab:44443

 

And you will find LLAWP.exe occasionally use its HCO connection to contact Policy Server as well.

It is for management calls.

You will find that LLAWP.exe would contact HCO listed Policy Server every 30 seconds.

 

This is a simplified use case for demonstration purpose.

If you are capturing the same packet trace from a linux machine for Apache Web Agent, you would find all the child httpd process contacting Policy Server. But it would still be same as what is described here for w3wp.exe process.

And you would also find 1 LLAWP process establishing its own connections going through the same procedure.

 

Hope this answers many questions you might have had relating to this topic.

 

Following article is written by Yu Nishzaki.

The sequence of communication between WebAgent and Policy Server. 

 

Next, I will share what happens when there are failovers and cluster is used.

SungHoon_Kim

DUMPIO module on Apache

Posted by SungHoon_Kim Employee Apr 3, 2017

There are situations where you need to get the HTTP traffic in clear-text.

Decrypting HTTPS traffic from wireshark is not as convenient as it was in the SSLv3 era.

And at times, fiddler just does not pick up the transaction.

 

What do you do?

 

If you are using IIS, you can enable FailedRequestTrace(yeah, I know. not the most convenient way when you have flooding requests).

 

If you are using Apache, you can make use of dumpio module.

If you are using CA Access Gateway, this method still applies as the dumpio module is bundled out of the box.

 

Locate the httpd.conf file and add the following entries.

At the LoadModule section:

LoadModule dumpio_module modules/mod_dumpio.so

 

At the LogLevel section:

LogLevel error dumpio:trace7

Let's say your existing LogLevel was "error".

You just need to add a space followed by "dumpio:trace7"

This will enable "trace7" loglevel only for "dumpio" module.

Other modules will only log at "error" loglevel.

 

After the LogLevel:

DumpIOInput On

DumpIOOutput On

 

Once you have this added to your httpd.conf file, you must restart your apache web server.

 

You will find log entries like below sample with "dumpio:trace7".

Apache error_log

[Thu Mar 23 18:19:32.657465 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 31 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): POST /kimlabs365/mex HTTP/1.0\r\n

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 24 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): Connection: Keep-Alive\r\n

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 36 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): Content-Type: application/soap+xml\r\n

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 13 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): Accept: */*\r\n

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 281 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MSOIDCRL 7.250.4556.0; App lync.exe, 15.0.4903.0, {0000003F-002B-0000-6CDD-FA6C4E000000})\r\n

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 21 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): Content-Length: 445\r\n

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 23 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): Host: www.kimlabs.net\r\n

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(135): [client 101.164.90.60:50863] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(58): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): 2 bytes

[Thu Mar 23 18:19:32.684467 2017] [dumpio:trace7] [pid 3508:tid 1752] mod_dumpio.c(100): [client 101.164.90.60:50863] mod_dumpio:  dumpio_in (data-TRANSIENT): \r\n

 

You will find all Request and Response header information in your apache error_log file.

This is follow up on my previous "O365 Integration Test Result".

 

I did some more test...

 

Question #1:

In Active Requestor Mode, does the Office Client contact STS directly for authentication? Or is it office.com?

 

Question #2:

In Passive Requestor Mode, does the Office Client contact AuthenticationURL(redirect.jsp) directly for authentication? Or is it office.com?

 

 

I was unable to decrypt the network traffic(and also unable to capture from fiddler) so I am relying on the header information which I enabled on Apache by using "dumpio:trace7"

I will write a separate article about the "dumpio" module after this. Here!!

All the Request and Response headers will be logged in the Apache error_log file.

 

In order to setup O365 environment within CA.COM network, we had to have a proxy server that would forward the requests to our CA Access Gateway server.

 

I will just refer to it as "proxy.cassodemos.com"

This will forward https requests to "CA Access Gateway" (aka SPS) in the internal lab environment.

Let's say the proxy.cassodemos.com IP address is 10.0.0.1

 

SPS server is "gateway.cassodemos.com"

IP address is 192.168.0.2

 

And we have a client machine, let's refer to it as "client.cassodemos.com"

And the IP is 192.168.0.11

 

Active Requestor mode, error_log with dumpio:trace7
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 61 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): POST /SamplePartnership-Office365/windowstransport HTTP/1.1\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 34 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): Host: gateway.cassodemos.com\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 36 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Type: application/soap+xml\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 13 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): Accept: */*\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 195 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; InfoPath.3; MSOIDCRL 7.250.4556.0; App EXCEL.EXE, 15.0.4911.0, {9317BCB6-314B-442F-A5DA-9BC2BEBC271D})\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 42 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): X-MS-SmartNegotiateSupportedClient: True\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 787 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJAAAACCAYIBqAAAABQAFABYAAAACgAKAGwAAAAaABoAdgAAABAAEAAqAgAAFYKI4goAACgAAAAPOEXNS6vwbuIn/8rFMoKr02MAYQBzAHMAbwBkAGUAbQBvAHMAcwB1AHMAZQByAEsASQBNAFMAVQAwADUALQBUADQAMwA0ADcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUjWhk8Mj/XIGaC4hnNLwTAEBAAAAAAAA1EI46xGo0gFPMkENY6jnigAAAAACABQAYwBhAHMAcwBvAGQAZQBtAG8AcwABABYATABPAEQAMQA2ADUANwBWAE0AMAA0AAQAHABjAGEAcwBzAG8AZABlAG0AbwBzAC4AYwBvAG0AAwA0AGwAbwBkADEANgA1ADcAdgBtADAANAAuAGMAYQBzAHMAbwBkAGUAbQBvAHMALgBjAG8AbQAFABwAYwBhAHMAcwBvAGQAZQBtAG8AcwAuAGMAbwBtAAcACADUQjjrEajSAQYABAACAAAACAAwADAAAAAAAAAAAAAAAAAwAAAwqWQ3sJHlDDN+kCDGFscj9l6dpUrk5TzSB4E4Ea5PUAoAEABTJ04SZ9qTbtonipGUDZDBCQBAAEgAVABUAFAALwB1AHMAaQBsAGEAcwBkADAAMAA0ADAANAAuAGMAYQBzAHMAbwBkAGUAbQBvAHMALgBjAG8AbQAAAAAAAAAAAAAAAAAtt9tY/8E/eAJOjdz+LA7D\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 167 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): Cookie: NTLMCRED=H7Hjely0WvHunvswx%2Frx4wN%2BQrrf0IHPmBeyheMHra8XEb%2BU1s%2BUVr5pPFBEK%2BC9QXxh%2F%2BE261aMdj7uPVmqQAX5AgCKa%2FwFPwMM3IIeyrR2lF%2FX9M%2BxdjXBjyZuX7wu\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 32 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): X-Forwarded-For: 192.168.0.11\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 47 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): X-Forwarded-Host: proxy.cassodemos.com\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 49 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): X-Forwarded-Server: proxy.cassodemos.com\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 24 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): Connection: Keep-Alive\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 22 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Length: 1475\r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 2 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): \r\n
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(135): [client 10.0.0.1:59121] mod_dumpio: dumpio_in [readbytes-blocking] 1475 readbytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(58): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): 1475 bytes
[Tue Mar 28 18:23:26.297153 2017] [dumpio:trace7] [pid 2964:tid 1664] mod_dumpio.c(100): [client 10.0.0.1:59121] mod_dumpio: dumpio_in (data-TRANSIENT): <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><s:Header><wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action><wsa:To s:mustUnderstand="1">https://proxy.cassodemos.com:443/SamplePartnership-Office365/windowstransport</wsa:To><wsa:MessageID>1490739805</wsa:MessageID><wsse:Security><wsu:Timestamp Id="Timestamp"><wsu:Created>2017-03-28T22:23:24Z</wsu:Created><wsu:Expires>2017-03-28T22:28:24Z</wsu:Expires></wsu:Timestamp></wsse:Security></s:Header><s:Body><wst:RequestSecurityToken Id="RST0"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo><wsa:EndpointReference><wsa:Address>urn:federation:MicrosoftOnline</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType></wst:RequestSecurityToken></s:Body></s:Envelope>

 

Based on this header information, the  EXCEL.EXE was contacting the SPS server directly.

Also, you can see the User-Agent information showing that this is EXCEL.EXE

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; InfoPath.3; MSOIDCRL 7.250.4556.0; App EXCEL.EXE, 15.0.4911.0, {9317BCB6-314B-442F-A5DA-9BC2BEBC271D})\r\n

 

 

And following is the Passive mode.

Passive Requestor mode, dumpio:trace7 Apache error_log
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): GET /affwebservices/redirectjsp/redirect.jsp?login_hint=suser%40cassodemos.com&client-request-id=642c4528-34aa-44d9-92e5-c4c77562dd00&username=suser%40cassodemos.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQIIAXWQPUtbURyHc3KjJDoYpIPFRWsGKT035_zvubfnHii0WJf4EqE6OJ63mFBzr70vRp06OBYpfoQuhYxO4uQgKA6SUQuOgnQtlI7GD9DlmZ7f8PzGJnepS1wgHh-CBsSH4LVDXSpqxvNDYk2AfVAeZpQAlrbVwlIagBCkIlQnk2PV-cU3ps_uPh4_XFzm6r7QRy_zJBIdm7VEb0vEMs_aAlwi4lidIjRA6Lj4Is1Tm7zXMk1jY7tx6uq4OyiiX8WJ5oehD8-Ik86B7Tuz7SzbSUW9rqXufpG4u--mbZnYnbgTZc-7-olTM8rTb02gMZeGYeb5PpacWRwG3IREBUQycubUNDNgWgqwBa6HTR7Doa8UJkyCCTzuhVzeOmhQQr9L02VULUz9nZg5Or-pzJeJIyrl0aoz9XVppvCvhH6MDNsf5_40XzXGG9-Org5_RpXC9Uh9ZXsvymCL7kYG-PK67kG-vrAKeqHZ7m1__rR20FjZ32xmZnODv6OCfh9FZ5X_H_YE0&SMPORTALURL=https%3A%2F%2Fproxy.cassodemos.com%2Faffwebservices%2Fpublic%2Fwsfedsso%2F HTTP/1.1\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 34 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): Host: gateway.cassodemos.com\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 13 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): Accept: */*\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 57 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): client-request-id: 642C4528-34AA-44D9-92E5-C4C77562DD00\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 33 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): return-client-request-id: false\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 20 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): x-ms-PKeyAuth: 1.0\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 21 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): x-client-SKU: Win32\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 34 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): x-client-Ver: v1.0.2038.20160526\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 23 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): x-client-OS: 6.3.9600\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 24 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): Accept-Language: en-US\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 32 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): Accept-Encoding: gzip, deflate\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 164 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 31 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): X-Forwarded-For: 192.168.0.11\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 47 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): X-Forwarded-Host: proxy.cassodemos.com\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 49 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): X-Forwarded-Server: proxy.cassodemos.com\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 24 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): Connection: Keep-Alive\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): 2 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_in (data-TRANSIENT): \r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(164): [client 10.0.0.1:62898] mod_dumpio: dumpio_out
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_out (data-HEAP): 1399 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(100): [client 10.0.0.1:62898] mod_dumpio: dumpio_out (data-HEAP): HTTP/1.1 302 Found\r\nDate: Mon, 03 Apr 2017 05:02:14 GMT\r\nServer: Apache/2.4.23 (Win32) OpenSSL/1.0.2h-fips mod_jk/1.2.41\r\nCache-Control: no-store\r\nLocation: https://gateway.cassodemos.com/siteminderagent/ntlm/creds.ntc?CHALLENGE=&SMAGENTNAME=-SM-g00SHbGg4HLNZMsE7KCm0KUW4x%2bFPhEsn9uEgVloiF5P0VTfWwh4LVNz8nZEAubu&TARGET=-SM-HTTPS%3a%2f%2fgateway%2ecassodemos%2ecom%2faffwebservices%2fredirectjsp%2fredirect%2ejsp%3flogin_hint%3dsuser-%40cassodemos%2ecom%26client--request--id%3d642c4528--34aa--44d9--92e5--c4c77562dd00%26username%3dsuser-%40cassodemos%2ecom%26wa%3dwsignin1%2e0%26wtrealm%3durn-%3afederation-%3aMicrosoftOnline%26wctx%3destsredirect-%3d2-%26estsrequest-%3drQIIAXWQPUtbURyHc3KjJDoYpIPFRWsGKT035_zvubfnHii0WJf4EqE6OJ63mFBzr70vRp06OBYpfoQuhYxO4uQgKA6SUQuOgnQtlI7GD9DlmZ7f8PzGJnepS1wgHh--CBsSH4LVDXSpqxvNDYk2AfVAeZpQAlrbVwlIagBCkIlQnk2PV--cU3ps_uPh4_XFzm6r7QRy_zJBIdm7VEb0vEMs_aAlwi4lidIjRA6Lj4Is1Tm7zXMk1jY7tx6uq4OyiiX8WJ5oehD8--Ik86B7Tuz7SzbSUW9rqXufpG4u----mbZnYnbgTZc--7--olTM8rTb02gMZeGYeb5PpacWRwG3IREBUQycubUNDNgWgqwBa6HTR7Doa8UJkyCCTzuhVzeOmhQQr9L02VULUz9nZg5Or--pzJeJIyrl0aoz9XVppvCvhH6MDNsf5_40XzXGG9--Org5_RpXC9Uh9ZXsvymCL7kYG--PK67kG--vrAKeqHZ7m1__rR20FjZ32xmZnODv6OCfh9FZ5X_H_YE0%26SMPORTALURL%3dhttps-%3A-%2F-%2Fproxy%2ecassodemos%2ecom-%2Faffwebservices-%2Fpublic-%2Fwsfedsso-%2F\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=99\r\nConnection: Keep-Alive\r\n\r\n
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(164): [client 10.0.0.1:62898] mod_dumpio: dumpio_out
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_out (metadata-EOS): 0 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(164): [client 10.0.0.1:62898] mod_dumpio: dumpio_out
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_out (metadata-EOR): 0 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(150): [client 10.0.0.1:62898] mod_dumpio: dumpio_in - 11
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(164): [client 10.0.0.1:62898] mod_dumpio: dumpio_out
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(58): [client 10.0.0.1:62898] mod_dumpio: dumpio_out (metadata-FLUSH): 0 bytes
[Mon Apr 03 01:02:14.849544 2017] [dumpio:trace7] [pid 5216:tid 1656] mod_dumpio.c(135): [client 10.0.0.1:62898] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes

 

Here you can see the client is still directly accessing the SPS server(through the proxy).

So, in both Active and Passive mode, the Office Client directly authenticates against the SPS(or WA/WAOP).

 

But the User-Agent information looks a bit different.

From testing, I find the User-Agent is different when in Passive mode.

 

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)"

 

 

It does not really tell if this is a IE browser or something else.

Initially I thought it was IE but my test was performed using Office Clients(WORD, EXCEL, SKYPE and OUTLOOK).

 

So I tried real IE and captured its User-Agent info as below.

"User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"

 

I found 3 differences.

Mozilla version, rv:11.0 and "like Gecko" are different. 

"rv:11.0" means it is IE11.0

This happens only in Passive mode.

 

In case of Active mode, I was getting the following User-Agent headers.

 

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; InfoPath.3; MSOIDCRL 7.250.4556.0; App EXCEL.EXE, 15.0.4911.0, {9317BCB6-314B-442F-A5DA-9BC2BEBC271D})"

 

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.3; WOW64; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; MSOIDCRL 7.250.4556.0; App lync.exe, 16.0.7369.2120, {12B07E85-1B47-41C4-A4E2-43B0C66A0CF6})"

 

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; InfoPath.3; MSOIDCRL 7.250.4556.0; App OUTLOOK.EXE, 15.0.4911.0, {9317BCB6-314B-442F-A5DA-9BC2BEBC271D})"

 

==============================

Another test was performed using "OneDrive for Business" client.

How seamless is "Seamless"?

 

It turns out the experience is equivalent to how the Excel and Word worked.

At the initial launch (or after you have emptied the stored credentials from the "Credential Manager" in control panel), you will need to enter the userID(suser@cassodemos.com) as this allows the client to contact O365 and identify where to go for authentication.

 

OneDrive client app did not ask for userID until I had to goto its systray and click "Sync Now" menu.

 

You will get this prompt and you have to manually enter the userID as shown above.

Once you click "Next" the login is seamless.