What is Autodiscover?Exchange Autodiscover is a service which is run on Exchange Client Access Servers. It is one of the new features it included in exchange 2007.The Autodiscover service makes it easier to configure Outlook 2007 or Outlook 2010 and some mobile phones. Autodiscover Service cannot be used with earlier versions of Outlook, including Outlook 2003. In earlier versions of Microsoft Exchange (Exchange 2003 SP2 or earlier) and Outlook (Outlook 2003 or earlier), you had to configure all user profiles manually to access Exchange.
The Autodiscover service uses a user's e-mail address and password to automatically configure a user's profile. Using the e-mail address, the Autodiscover service provides the following information to the client:
How the Autodiscover Service Works
When you install the Client Access server role on a computer running Exchange 2010/2007, a default virtual directory named Autodiscover is created under the default Web site in Internet Information Services (IIS). This virtual directory handles Autodiscover service requests from Outlook 2007 or Outlook 2010 clients and supported mobile phones under the following circumstances:
Additionally, a new Active Directory object named the service connection point (SCP) is created on the server where you install the Client Access server role. And Autodiscover information is stored in it.
You can view this SCP using Active Directory Sites and Services after you have enabled the “View Services Node” option:
- The serviceBindingInformation attribute.
- The keywords attribute
The serviceBindingInformation attribute has the Fully Qualified Domain Name (FQDN) of the Client Access server in the form of: https://cas01.contoso.com/autodiscover/autodiscover.xml, where cas01.contoso.com is the fully qualified domain name (FQDN) for the Client Access server.
The keywords attribute specifies the Active Directory sites to which this SCP record is associated. By default, this attribute specifies the Active Directory site to which the Client Access server belongs.
When a domain-connected client connects to the Active Directory directory service: – The Exchange 2007 client authenticates to Active Directory and tries to locate the Autodiscover SCP objects that were created during Setup by using the user's credentials.
– In deployments that include multiple Client Access servers, an Autodiscover SCP record is created for each Client Access server. By using the user credentials, the Outlook 2007 client authenticates to Active Directory and searches for the autodiscover SCP objects.
– After the client obtains and enumerates the instances of the Autodiscover service, the client connects to the first Client Access server in the enumerated and sorted list and obtains the profile information in the form of XML data that is needed to connect to the user's mailbox and available Microsoft Exchange features.
An Outlook 2007/2010 client connects to the Autodiscover service as follows:
1- Outlook 2007/2010 sends a LDAP query to Active Directory looking for all available SCP objects.
2- Outlook 2007/2010 sorts and enumerates the returned results based on the client's Active Directory site by using the keyword attribute of the SCP record. One of two lists is created, an in-site list or an out-of-site list.
3. Outlook first tries to connect to each Autodiscover URL that it had previously generated from either an in-site list or an out-of-site list.
4. The Autodiscover service queries Active Directory to obtain the connection settings and URLs for the Exchange services that have been configured.
5. The Autodiscover service returns an HTTPS response with an XML file that includes the connection settings and URLs for the available Exchange services.
6. Outlook uses the appropriate configuration information and connection settings to connect to your Exchange messaging environment.
Problems with Autodiscover service or how it’s configured can causes issues such as:
One of the most common issues I see has to do with certificates, so I will highlight few things about certificates.
Certificates are used to encrypt traffic between exchange servers and clients.
There are three things that need to be true in order for a certificate to be valid:
Example: If I connect to OWA with mail.mydomain.com, then the certificate also needs to have mail.mydomain.com either on the subject or the subject alternative name field.
The components that are usually affected with certificate name mismatch are Autodiscover, Out of Office, Free Busy and Outlook Anywhere.
1- Not using a trusted certificate
Solution: use a 3rd party cert provider
2- The certificate name does not match the DNS name\s
Solution: create a new cert request containing all the names used to access the server. Minimum of
<InternalName>.domain.local (if using for internal systems also)
3- Can’t resolve fully qualified domain names (FQDN)
Solution: make sure that the FQDNs for your external URLs as well as autodiscover have A records registered in DNS
Verify you can access the autodiscover XML file https://autodiscover.domain.com/autodiscover/autodiscover.xml
It should look like below
4- SCP Record does not contain the correct value.
- Hold CTRL and Click the outlook Icon in the system tray and select “Test Email Auto Configuration”
- Deselect the “Use Guessmart” and “Secure Guessmart Authentication” and click Test.
2. Check SCP value returned
- If you get info on the results tab then AutoDiscover is working
- If not, go to Log tab and look at the URL that is returned
- Test the URL (Type it into Internet explorer) if it is not working, change SCP to a valid URL, using Set-ClientAccessServer cmdlet.
- Set the SCP along with the internal URL: Set-ClientAccessServer CASServerName -AutoDiscoverServiceInternalUri https://mail.domain.local/Autodiscover/Autodiscover.xml
Troubleshooting Free/Busy Information for Outlook 2007/2010
If you are using outlook 2010, then do the below:
Windows XP: C:\Documents and Settings\<User Name>\Local Settings\TempWindows Vista and Windows 7: C:\Users\<User Name>\AppData\Local\Temp
You can also use Outlook 2007 to test the AutoConfiguration information that is provided by the Autodiscover service.
The following table provides a brief description of error codes that may occur when you test the AutoConfiguration for the Autodiscover service in Outlook 2007.
Exchange 2007 provides two ways for you to determine whether the Availability service is not functioning correctly:
1- Using the Event Log to Troubleshoot the Availability Service
2- Using the Test-OutlookWebServices Cmdlet to Troubleshoot the Availability Service as below:
Test-OutlookWebServices -id:firstname.lastname@example.org -TargetAddress: email@example.com
Troubleshooting Autodiscover serviceTroubleshooting Autodiscover requires you to understand which part of autodiscover is not working. But generally, It is good practice to find out whether autodiscover working for internal clients or not. Internal clients who are belong to the same network of domain. Following are some common procedures to check autodiscover configuration:
• Run Test-OutlookWebservices | fl• Run Test-EmailAutoConfiguration on client to find how autodiscover is connecting and where exactly it's failing.• Verify URL for autodiscover. Get-ClientAccessServer | fl Check for AutodiscoverInternalServerUri attribute.• You may also access the autodiscover url from IE and in response should get "600 invalid request".• If autodiscover not working for external client verify authentication on Autodiscover virtual directory and if required you may recreate the virtual directory by running command: Remove-AutodiscoverVirtualDirectoryNew-AutodiscoverVirtualDirectory
Thanks for the share.. :)
Can you explain step by step auto discover configuration with certifications in exchange 2010
"Outlook 2007/2010 sorts and enumerates the returned results based on the client's Active Directory site by using the keyword attribute of the SCP record. One of two lists is created, an in-site list or an out-of-site list."
Where are the in-site and out-of-site lists stored? I have a situation where an Outlook client has a previously generated out-of-site list, and it keeps wanting to contact the server in that list. That server is still online but it is outside of my control. I want to prevent Outlook from attempting to use that server, so need to flush the out-of-site list.
How do I test email auto-config on Outlook 2011 for Mac?
Quite simplified a blog on Autodiscover troubleshoot. It was easy to go thru and understand in one go...
I am trying to figure out how all of this complexity actually solves any business problem. It sure does create some business problems when your vice president's assistant can't schedule a meeting!
Nice 1 Malik! Well documented.
We have a new site with domain joined Outlook 2010 clients that are not using SCP. When I run the autodiscover test the logs show it goes straight for the predetermined DNS options, bypassing SCP altogether. In other words, behaving like a non-domain joined client and not bothering to try SCP. Could this be something to do with the keywords attribute? It's driving me mad!
So when mobile clients tries to connect thru autodiscover it first try to use
https://contso.com and if it fails tries to use the
https://autodiscover.contso.com. What if
http://contso.com is the the company website which is not the owa of the company? Sometimes our autodiscover will fail when it tries to go to our website for a certificate.
Can you explain about troubleshoot when
•Prompt for a user name and password during the Autodiscover process.
Great Article !!!
Malik This is really great article. Please share more article on Exchange 2010 like mail flow and all. Thank again for this valuable information.
We are having the same issues that Jcar mentioned above. Autodiscover is using our domain name but not autodiscover.domain.com. This is causing several things not to work correctly including OAB and shared mailboxes not showing in Outlook with full access
permissions (automapping). Any ideas as to what would cause this?
I fully agree. Many thanks for this very helpful article.
Very Helpful and Informative....