Summary of Outlook Autodiscover Order

Issue: You would like a better understanding of the order in which Outlook goes through the Autodiscover process

  1. SCP lookup: Outlook will query Active Directory for Autodiscover information.  If that fails, Outlook begins it’s “non-domain connected” logic, and will go in order down this list
  2. HTTPS root domain query: Outlook, if not domain joined, queries using the primary email address domain (right hand side of the email address). Using this domain as an example, it will search for https://enterpriseit.co/autodiscover/autodiscover.xml
  3. HTTPS Autodiscover domain query – If the above search yields no response, the next URL Outlook will try is https://autodiscover.enterpriseit.co/autodiscover/autodiscover.xml
  4. HTTP redirect method
  5. SRV record query
  6. Local XML file
  7. cached URL in the Outlook profile (new for Outlook 2013)

Item 2 indicates that if the domain (enterpriseit.co above) resolves to an HTTPS server, that server NEEDS a certificate that matches enterpriseit.co, or outlook will complain (for example enabling a wildcard certificate on your Exchange server, however the domains A record points towards a web server that has HTTPS, but it’s certificate doesn’t match enterpriseit.co.)  Autodiscover doesn’t proceed to item 3, it stops there and complains.

Autodiscover can be covered either with a wildcard certificate (*.enterpriseit.co), a standard certificate that is just for the naked domain enterpriseit.co, or a UCC certificate that covers the naked domain and mail related sub domains (www.enterpriseit.co, example.com, mail.enterpriseit.co, etc).
Note: Technically, the wildcard certificate doesn’t really cover the naked domain (the . between the asterisk and the domain breaks it), but wildcard certificates cover the naked domain in the Subject Alternative Name.

The wildcard certificate currently installed on our example mail server has the following for the Subject Alternative Name:
DNS Name=*.enterpriseit.co

DNS Name=enterpriseit.co

If there is no HTTPS server for the naked domain, then autodiscover falls through to item 3, needing an HTTPS server responding to autodiscover.enterpriseit.co.  This can reside on the mail server, or another web server.  Once again, that server either needs to be dedicated to autodiscover with a dedicated certificate of autodiscover.enterpriseit.co (kind of weak. I’ve never seen this), a wildcard ceritificate, or a UCC certificate as above.  If you do this, then the server should (obviously) actually host the autodiscover/autodiscover.xml

Resources:
https://blogs.technet.com/b/kristinw/archive/2013/04/19/controlling-outlook-autodiscover-behavior.aspx

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.