How to Enable and Configure Autodiscover for Outlook

Autodiscover is an Exchange Server feature that automatically provides Outlook clients with the configuration settings needed to connect to a user’s mailbox. Instead of manually entering server names, ports, and encryption settings, Outlook queries the Autodiscover service using the email address and receives the complete configuration. This guide covers how Autodiscover works, the DNS records required, and how to troubleshoot common issues.

How Autodiscover Works

When Outlook needs to configure or update a profile, it follows a specific lookup sequence to find the Autodiscover service:

For Domain-Joined Computers (Internal)

1. SCP Lookup: Outlook queries Active Directory for Service Connection Point (SCP) objects that contain the Autodiscover URL. This is the fastest and most reliable method for internal clients.
2. If SCP lookup fails, Outlook falls back to DNS-based methods.

For External and Non-Domain Computers

Outlook attempts to contact the Autodiscover service in the following order:

1. Root domain: https://contoso.com/autodiscover/autodiscover.xml
2. Autodiscover subdomain: https://autodiscover.contoso.com/autodiscover/autodiscover.xml
3. HTTP redirect: http://autodiscover.contoso.com/autodiscover/autodiscover.xml (checks for a redirect to HTTPS)
4. SRV record lookup: Queries DNS for _autodiscover._tcp.contoso.com SRV record
5. Local XML file: Checks for a locally configured XML file (rare)

Configuring DNS Records for Autodiscover

Option 1: CNAME Record (Most Common)

Create a CNAME record in your external DNS zone:

Record Type	Name	Value
CNAME	autodiscover.contoso.com	mail.contoso.com (your Exchange server FQDN)

The Exchange server at mail.contoso.com must have a valid SSL certificate that includes autodiscover.contoso.com as a Subject Alternative Name (SAN).

Option 2: A Record

If you prefer an A record:

Record Type	Name	Value
A	autodiscover.contoso.com	203.0.113.10 (your Exchange server IP)

Option 3: SRV Record

SRV records are useful when your Exchange server’s SSL certificate does not include the autodiscover hostname, or when you want to avoid certificate mismatch warnings:

Record Type	Service	Protocol	Priority	Weight	Port	Target
SRV	_autodiscover	_tcp	0	0	443	mail.contoso.com

When Outlook finds the SRV record, it prompts the user to confirm the redirection to the target server. The user can choose to accept and remember this choice.

Internal DNS

For split DNS environments, create the same records in your internal DNS zone. If your internal domain differs from your email domain (for example, contoso.local versus contoso.com), you may need to create a forward lookup zone for contoso.com in your internal DNS with just the Autodiscover record.

SCP Objects in Active Directory

For domain-joined clients, Autodiscover primarily uses Service Connection Point (SCP) objects stored in Active Directory. These are created automatically when you install Exchange Server.

Viewing SCP Objects

# View Autodiscover SCP objects in Active Directory
Get-ClientAccessServer | Format-List Name, AutoDiscoverServiceInternalUri

# In newer Exchange versions
Get-ClientAccessService | Format-List Name, AutoDiscoverServiceInternalUri

Configuring the SCP Internal URI

If you need to change the internal Autodiscover URL:

# Set the Autodiscover internal URL
Set-ClientAccessServer -Identity "EX01" `
    -AutoDiscoverServiceInternalUri "https://mail.contoso.com/autodiscover/autodiscover.xml"

Configuring External URLs

Set the external Autodiscover URL in Exchange:

# Configure external URLs for Exchange services
Set-OutlookAnywhere -Identity "EX01\Rpc (Default Web Site)" `
    -ExternalHostname "mail.contoso.com" `
    -ExternalClientsRequireSsl $true

# Set OWA external URL
Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web Site)" `
    -ExternalUrl "https://mail.contoso.com/owa"

# Set EWS external URL
Set-WebServicesVirtualDirectory -Identity "EX01\EWS (Default Web Site)" `
    -ExternalUrl "https://mail.contoso.com/EWS/Exchange.asmx"

# Set ActiveSync external URL
Set-ActiveSyncVirtualDirectory -Identity "EX01\Microsoft-Server-ActiveSync (Default Web Site)" `
    -ExternalUrl "https://mail.contoso.com/Microsoft-Server-ActiveSync"

# Set OAB external URL
Set-OabVirtualDirectory -Identity "EX01\OAB (Default Web Site)" `
    -ExternalUrl "https://mail.contoso.com/OAB"

Firewall Configuration

For external Autodiscover to work, the following must be accessible from the internet:

Port	Protocol	Purpose
443	HTTPS	Autodiscover service and all Exchange HTTPS services

Ensure your firewall or reverse proxy (TMG, HAProxy, nginx, etc.) forwards HTTPS traffic for the Autodiscover URL to the Exchange server.

Testing Autodiscover

Method 1: Outlook Test AutoConfiguration

1. Hold Ctrl and right-click the Outlook icon in the system tray.
2. Select Test E-mail AutoConfiguration.
3. Enter the email address and password.
4. Uncheck Use Guessmart and Secure Guessmart Authentication to focus on Autodiscover only.
5. Click Test.
6. Review the Results and Log tabs for the configuration returned and any errors.

Method 2: Exchange Management Shell

# Test Autodiscover connectivity
Test-OutlookConnectivity -Protocol Http -GetDefaultsFromAutodiscover $true

# Test a specific user's Autodiscover
Test-OutlookWebServices -Identity "user@contoso.com"

Method 3: Remote Connectivity Analyzer

For external testing, use Microsoft’s Remote Connectivity Analyzer:

1. Navigate to https://testconnectivity.microsoft.com.
2. Select Outlook Autodiscover under the Exchange Server tab.
3. Enter the email address and credentials.
4. Run the test and review the detailed results.

Method 4: Manual URL Test

Open a web browser and navigate to:

https://autodiscover.contoso.com/autodiscover/autodiscover.xml

You should receive an HTTP 600 or 401 (authentication required) response, which indicates the Autodiscover endpoint is reachable.

Troubleshooting Common Issues

Outlook Prompts for Credentials Repeatedly

• The SSL certificate may not include the Autodiscover hostname.
• The Autodiscover virtual directory may require different authentication methods. Verify that it allows the correct authentication type (Basic, NTLM, or Negotiate).

Autodiscover Returns Wrong Server or URL

• Check the SCP objects in Active Directory to ensure they point to the correct server.
• Verify the external URLs configured in Exchange virtual directories.
• If using a load balancer, ensure the Autodiscover endpoint is included in the load-balanced VIP.

Certificate Name Mismatch Warning

This occurs when Outlook connects to autodiscover.contoso.com but the server’s SSL certificate does not include that name. Solutions:

• Add autodiscover.contoso.com as a SAN on your Exchange certificate.
• Use an SRV record instead, which redirects Outlook to a hostname that matches the certificate.

Autodiscover Works Internally but Not Externally

• Verify that the autodiscover DNS record exists in the external DNS zone.
• Check that port 443 is open through the firewall.
• Ensure the reverse proxy or load balancer is passing Autodiscover traffic correctly.

Outlook Cannot Find the Autodiscover Service at All

Check the lookup order:

# Check SCP in Active Directory
Get-ClientAccessServer | Format-List AutoDiscoverServiceInternalUri

# Check DNS resolution
nslookup autodiscover.contoso.com

# Check SRV record
nslookup -type=srv _autodiscover._tcp.contoso.com

Summary

Autodiscover simplifies Outlook configuration by automatically providing server settings based on the user’s email address. For internal domain-joined clients, it uses SCP objects in Active Directory. For external clients, it relies on DNS records (CNAME, A record, or SRV record) pointing to the Exchange server’s Autodiscover endpoint on HTTPS port 443. Configure the external URLs for all Exchange virtual directories, ensure the SSL certificate covers the Autodiscover hostname, and test using Outlook’s built-in Test AutoConfiguration tool or Microsoft’s Remote Connectivity Analyzer.