Outlook External Autodiscover Certificate Error
In Outlook 2007 through Outlook 2010 all domain-joined Outlook clients would initially query Active Directory for AutoDiscover information and ultimately find a Service Connection Point (SCP) value that would point them to their nearest Client Access Server’s AutoDiscover virtual directory. If that failed then they would revert to using DNS like any non-domain-joined Outlook client.
Non-domain-joined Computer Lookup Order:
- Local XML File
- http://company.com/autodiscover/autodiscover.xml (looking for a redirect website)
- SCP AutoDiscover Record
Domain-joined Computer Lookup Order:
- SCP lookup
- HTTPS root domain query
- HTTPS AutoDiscover domain query
- HTTP redirect method
- SRV record query
By default, Outlook uses one or more of these methods to reach the AutoDiscover service. For example, for a computer that is not joined to a domain, Outlook tries to connect to the predefined URLs (for example, https://autodiscover.contoso.com/autodiscover/autodiscover.xml) by using DNS. If that fails, Outlook tries the HTTP redirect method. If that does not work, Outlook tries to use the SRV record lookup method. If all lookup methods fail, Outlook cannot obtain “Outlook Anywhere” configuration and URL settings.
Why it ever looked to https://company.com/autodiscover/autodiscover.xml I’ll never really know because honestly I’ve never come across a customer who had it deployed that way; most have https://autodiscover.company.com/autodiscover/autodiscover.xml but I imagine when Exchange 2007 was first being developed they weren’t exactly sure how customers would be implementing AutoDiscover.
The above methods have served us well since Exchange 2007 timeframe but for some reason the Outlook team decided to try and implement some giddyup into Outlook and try to speed up the process. They decided to have domain-joined Outlook 2013 clients query both the SCP values in AD as well as the DNS records at the same time. If an SCP record was found it would still be used but in the event it failed then it would already have the DNS response ready to go. Great idea, however there’s one problem in the implementation.
If Outlook 2013 encounters any kind of Certificate error while doing the simultaneous DNS query then you will receive a pop-up in Outlook about the cert.
I actually stumbled upon this while in the middle of the scenario below:
I actually get a certificate pop-up for my lab’s domain name (ash15.com) and not autodiscover.ash15.com like one would expect if I were to have a certificate issue on Exchange.
When Outlook 2013 does its simultaneous DNS AutoDiscover query, the first URL it tries is https://company.com/autodiscover/autodiscover.xml, which in the lab environment resolved to the DC, which was also serving DNS, as well as a CA. Ash15.com resolved to this server because it’s my internal AD name and the name server entry resolves to my DC (just ping internaldomainname.local in your AD lab environment and you’ll see the same).
Now because I have web enrollment enabled and am listening on 443 in IIS the server responded. Also, because I did not have a cert installed on the server with ash15.com in the Subject or Subject Alternative Name then it gave the certificate error we see above.
The error is easy enough to get through and it only occurred on initial profile creation but this can definitely prove painful for some customers. Obviously my lab environment is a corner case but there have been several other customers report this issue with Outlook 2013 as well.
Imagine you have a public website for andrewswidgets.com hosted by a third-party hosting site and you did not pay for HTTPS/443 services. However if you were to query the website using https then it could respond and obviously not return a certificate with andrewswidgets.com on it (because you haven’t paid for it you cheapskate…). Now imagine you begin deploying users using Outlook 2013 in your internal environment. In the past, they would have found the SCP record that would have pointed them to your internal Exchange 07/10/13 server for AutoDiscover and would have been happy as a clam (one Exchange Product Manager’s favorite way to describe Exchange bliss). However, now they may get a certificate pop-up for andrewswidgets.com when creating a new profile.
There are a couple ways around this. Make sure andrewswidgets.com doesn’t listen on 443, or possibly get a proper cert on your website that is listening on 443. Simply put, just make sure whatever andrewswidgets.com resolves to is something that’s not going to throw a certificate error.
I’ve heard nothing concrete or public but the Outlook team is aware of the issue and listening to customer feedback. I suggest contacting Microsoft Support if your organization is running into this issue.
Also, this MS KB offers methods to control which AutoDiscover methods are used by your Outlook clients