Home » Exchange Server » Fixing Autodiscover Root Domain Lookup Issues for Mobile Devices

Fixing Autodiscover Root Domain Lookup Issues for Mobile Devices

There’s a fairly common issue that occurs with mobile devices connecting to Exchange Server or Exchange Online for mailbox access.

Before we go further though, I just want to point out two other potential causes of this issue that you should check first, as they’re simpler solutions:

  • User principal names (UPNs) for user accounts should match primary SMTP addresses. If they don’t, then some mobile devices will fail to setup with Autodiscover.
  • Some Android devices need the username (UPN/email) to be entered as “username”, for example “alex.heyne@exchangeserverpro.net”

Assuming neither of the above suggestions fixed your problem, you may be having issues due to Autodiscover and root domain lookups. When the mobile device begins the Autodiscover process, it will often fail and prompt the user to manually configure their device settings.

img_0212

When clients use Autodiscover to locate server configuration details, the first attempt is usually to try the root domain for the user’s email address, e.g. a user of alex.heyne@exchangeserverpro.net will mean an Autodiscover attempt is sent to https://exchangeserverpro.net/Autodiscover/Autodiscover.xml. You can see this behavior by running the ActiveSync Autodiscover test using the Remote Connectivity Analyzer.

autodiscover-root-domain

The root domain lookup makes absolutely no sense to me, since no customer I’ve ever dealt with has their root domain resolving in DNS to their Exchange server where the Autodiscover service is available. But that’s the behavior, so we need to deal with it.

Now, most clients will handle that root domain lookup failure gracefully, and (just like the Remote Connectivity Analyzer does) move on to the next Autodiscover method. As long as the Autodiscover CNAME or SRV record is implemented (or both), the client will successfully connect to Autodiscover and the device or application is configured correctly.

But, for a random assortment of devices and applications, the root domain failure is interpreted as a complete Autodiscover failure, and the user is prompted to manually configure server details. This can occur when the root domain resolves to a web server (which is normally where it resolves to) that has HTTPS enabled and listening, but has an SSL certificate installed that doesn’t match the root domain name that the device is trying to connect to. This is very common when shared hosting is used to host multiple websites for different domains.

eas-connections-autod-gotcha

In the example above, a device connecting over HTTPS to “contoso.com” will see a certificate of “sr100283.webhostingcircus.com”, and the HTTPS connection will not be successful. To fix this situation, some changes on the web server are required.

  1. Enable SSL for the website. This will involve adding an SSL certificate, which you may need to purchase if the web host can’t arrange it for you. Depending on the web host this may involve an extra cost and potentially a static IP, although most good web hosts these days will let you enable SSL at no additional cost. Some even use Lets Encrypt to provide free SSL for customers. Another alternative is to use Cloudflare to get free SSL for your website (this doesn’t require you to move the website itself to a different server).
  2. On the web server, configure a redirect for all requests to the /Autodiscover virtual directory to be redirected to the autodiscover.contoso.com instead (where “contoso.com” is your domain name). Configuring the redirect itself will depend on the type of web server your site is running on. Some web hosts provide a control panel to allow you to configure redirects yourself.

When the SSL and redirect are in place, Autodiscover lookups to the root domain will not fail the HTTPS connection, and will be redirected to your Exchange server instead.

eas-connections-autod-redirect

 

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

6 comments

  1. Jason says:

    HTTP redirect will result in a prompt/popup in outlook for externally users with outlook right? And does this also happen for ActiveSync devices?

    • Every mobile device I’ve seen will follow the redirect without complaining.

      The Outlook Autodiscover redirect warning is unavoidable unless you can suppress it with GPO, which obviously only helps for domain joined computers. For non-domain joined computers, at least the user can accept the redirect and then Autodiscover will work without them having to manually configure any profile settings.

      Keep in mind also this is mainly an issue for externally connecting devices.

  2. Joshua Bines says:

    Another gotcha I found is when the root website has soft 404 fail. It responds with a 200 ok for a GUI error page but this messes with the outlook profile creation.

  3. Pam says:

    You might want to make sure your web server is not a hosted linux server C-panel. The Godaddy C-panel (and maybe others) are set to automatically reject autodiscover requests and return error code 400 for ALL remote domains. That means the autodiscover request is denied/rejected by policy before it gets to the specified domain address- BEFORE it can be redirected to your exchange server. That is the current setting (Nov. 2016).

  4. Vikas Sukhija says:

    Great Article, I am dealing with same situation, I am trying to fix other teams cert , will just fixing the cert will not help ? Redirect would also be necessary on their server to autodiscover ?
    Some mobile devices get cert warning but still they finish it successfully..so I was thinking of just fixing the cert .

Leave a Reply

Your email address will not be published. Required fields are marked *