There's a fairly common issue that occurs with mobile devices connecting to Exchange Server or Exchange Online for mailbox access.
Before we go further though, I just want to point out two other potential causes of this issue that you should check first, as they're simpler solutions:
- User principal names (UPNs) for user accounts should match primary SMTP addresses. If they don't, then some mobile devices will fail to setup with Autodiscover.
- Some Android devices need the username (UPN/email) to be entered as “username”, for example “firstname.lastname@example.org”
Assuming neither of the above suggestions fixed your problem, you may be having issues due to Autodiscover and root domain lookups. When the mobile device begins the Autodiscover process, it will often fail and prompt the user to manually configure their device settings.
When clients use Autodiscover to locate server configuration details, the first attempt is usually to try the root domain for the user's email address, e.g. a user of email@example.com will mean an Autodiscover attempt is sent to https://exchangeserverpro.net/Autodiscover/Autodiscover.xml. You can see this behavior by running the ActiveSync Autodiscover test using the Remote Connectivity Analyzer.
The root domain lookup makes absolutely no sense to me, since no customer I've ever dealt with has their root domain resolving in DNS to their Exchange server where the Autodiscover service is available. But that's the behavior, so we need to deal with it.
Now, most clients will handle that root domain lookup failure gracefully, and (just like the Remote Connectivity Analyzer does) move on to the next Autodiscover method. As long as the Autodiscover CNAME or SRV record is implemented (or both), the client will successfully connect to Autodiscover and the device or application is configured correctly.
But, for a random assortment of devices and applications, the root domain failure is interpreted as a complete Autodiscover failure, and the user is prompted to manually configure server details. This can occur when the root domain resolves to a web server (which is normally where it resolves to) that has HTTPS enabled and listening, but has an SSL certificate installed that doesn't match the root domain name that the device is trying to connect to. This is very common when shared hosting is used to host multiple websites for different domains.
In the example above, a device connecting over HTTPS to “contoso.com” will see a certificate of “sr100283.webhostingcircus.com”, and the HTTPS connection will not be successful. To fix this situation, some changes on the web server are required.
- Enable SSL for the website. This will involve adding an SSL certificate, which you may need to purchase if the web host can't arrange it for you. Depending on the web host this may involve an extra cost and potentially a static IP, although most good web hosts these days will let you enable SSL at no additional cost. Some even use Lets Encrypt to provide free SSL for customers. Another alternative is to use Cloudflare to get free SSL for your website (this doesn't require you to move the website itself to a different server).
- On the web server, configure a redirect for all requests to the /Autodiscover virtual directory to be redirected to the autodiscover.contoso.com instead (where “contoso.com” is your domain name). Configuring the redirect itself will depend on the type of web server your site is running on. Some web hosts provide a control panel to allow you to configure redirects yourself.
When the SSL and redirect are in place, Autodiscover lookups to the root domain will not fail the HTTPS connection, and will be redirected to your Exchange server instead.