Office 365 Autodiscover Lookup Process


This is a post for reference purposes.  The intent is to look at how Outlook will locate the correct Autodiscover endpoint in a hybrid environment.  This Exchange 2010 SP3 lab has a hybrid configuration with Office 365.  The tenant is called TailspinToysCanada.  Our test mailbox User-1@tailspintoys.ca was moved successfully to Office 365.  They are logging onto a domain joined machine which is located on the corporate network, using their credentials.

 

Autodiscover Configuration

The Autodiscover namespace in this lab is autodiscover.tailspintoys.ca.  This is the URL that users will leverage to get the XML response from Exchange.  How do they discover this URL?  See this post for the full details.

In short the Exchange 2010 CAS server has the AutoDiscoverServiceInternalURI set to the autodiscover.tailspintoys.ca namespace.  This is shown below.

Get-ClientAccessServer | Select Name, *URI | Format-Table -AutoSize

Autodiscover Namespace Set On Exchange 2010 CAS

Note that we are NOT setting URLs on the Autodiscover VirtualDirectory.  Please review the myth busting post for the background on this urban legend.  Setting the AutodiscoverServiceInternalURI is the value which will be returned to Outlook when it does a SCP query.  That is great for internal domain joined machines, what about external or workgroup machines?

For external clients, Autodiscover is configured as a standard A record in the external DNS zone.  This is for  autodiscover.tailspintoys.ca and points to the external firewall interface which is configured to pass the traffic to the Exchange 2010 CAS server.

Note that in a hybrid configuration the external Autodiscover namespace must point back to the on-premises Exchange infrastructure and not to Office 365.  This is a common configuration issue as the Office 365 portal complains about missing DNS records.  Ignore the GUI, and check the status of the custom domain using Get-MSOLDomain using PowerShell. The newer portal has addressed this, maybe I’ll add a post with details.  Leave a comment and let me know your thoughts please.

Now that we know the infrastructure, let’s see what Outlook does.

 

Testing Outlook Autodiscover Lookup Process

This is the Outlook 2013 ProPlus client, version 15.0.4693.1000.  We are using the Test E-Mail AutoConfiguration tool to review the Autodiscover process.

Guesssmart and Secure Guesssmart are for POP and IMAP clients so they are cleared to remove unwanted fluff from the results.

The below screen shot shows the steps Outlook has gone through to locate the correct Autodiscover endpoint for this Office 365 mailbox.  This has been edited to show the following:

  • User SMTP address is highlighted
  • Currently viewing the Log tab
  • Each response line has been manually numbered
  • Since the dialog cannot be resized the bottom portion was overlaid so all results were in a single image for readability purposes

 

Initial Autodiscover Process For Hybrid Mailbox

Line Number Comment
1 Autodiscover endpoint located using SCP query
2 Client attempts first URL
3 Authentication successful to Autodiscover web service using logged on credentials
4 Autodiscover unable to answer query as mailbox in O365. 0x800C8205,  Redirect to TargetAddress
5 Start from beginning using new SMTP address:  user-1@TailspinToysCanada.mail.onmicrosoft.com
6 Autodiscover starts over. Endpoint located using SCP query
7 Client attempts first URL
8 Authentication successful to Autodiscover web service using logged on credentials
9 Autodiscover unable to answer query as mailbox in O365.  Status code:  0x800C8205
10 DNS lookup process starts: root domain lookup  domain.com
11 Root domain lookup fails with status: 12007
12 Root domain lookup fails with status: 0x8004005
13 DNS lookup process continues to next namespace: autodiscover.MicrosoftOnlineRoutingdomain.com
14 Lookup fails with status: 12029
15 Lookup fails with status: 0x800C8203
16 Local XML file lookup
17 Local XML file lookup fails with status: 0x8004010F
18 HTTP Redirect check to: autodiscover.MicrosoftOnlineRoutingdomain.com
19 Client redirected to shared autodiscover namespace:  autodiscover-s.outlook.com
20 Client submits Autodiscover request
21 Authentication needed – 401 response

At this point we are at the shared Outlook Autodiscover service.  We need to authenticate to Office 365 Autodiscover so that it knows who we are, and where to then redirect us.  This is shown in the second section below.  It picks up where the section left off:

Final Autodiscover Process For Hybrid Mailbox

Line Number Comment
22 HTTP 302 redirect
23 Autodiscover failed with status: 0x800C8204 – redirect was received to a more accurate location
24 Autodiscover sent to accurate location pod51042.outlook.com
25 Autodiscover request issued to pod51042.outlook.com
26 Authentication needed – 401 response
27 Authentication successfully provided
28 Autodiscover request submitted
29 Autodiscover XML data successfully received

Phew! 

At this point our Outlook client has received the Autodiscover XML response.  This took a few hops, but users do not see this background process so this does not really impact them.

One thing you may be wondering is the TargetAddress mentioned above.  If we look at the attributes defined on an AD user object whose mailbox was migrated to Office 365, we can see the TargetAddress attribute is present on those migrated accounts.

Attributes On Object User-1 - Note The TargetAddress

This is what allows Exchange to shim in the different SMTP address.  Exchange will NOT use user-1@tailspintoys.ca as the ultimate delivery address, rather the TargetAddress is used.  In this case it is:

User-1@TailspintoysCanada.mail.onmicrosoft.com

This is provided to the Outlook client when it initially contacted the on-premises Exchange server.  Outlook then uses this to chase down the correct location to send the Autodiscover request. 

 

DNS Records We Met Along The Way

<Tenuous link to Bob Marley>

We looked for the following DNS records in our journey so far:

  1. autodiscover.tailspintoys.ca
  2. TailspinToysCanada.Mail.OnMicrosoft.com
  3. Autodiscover.TailspinToysCanada.Mail.OnMicrosoft.com
  4. autodiscover-s.outlook.com
  5. pod51042.outlook.com (this is where my tenant exists, yours will likely be different)

The Autodiscover.TailspinToysCanada.Mail.OnMicrosoft.com is used twice.  Once with HTTPS and then for the HTTP redirect.

Some of these names do not exist in DNS, whilst others have some additional aliases.  We can use Nslookup to query for records.  The DNS server in the internal DC which is then performs recursion on behalf of the resolver.

Nslookup Showing DNS Records Used With Autodiscover

(Click to zoom in to the image)

 

Outlook 2010 And Outlook Autodiscover 2013 Differences

Outlook 2013 changed its Autodiscover behaviour slightly.  In short it does the SCP lookup but also chases down DNS entries simultaneously so that should the SCP lookup fail, the DNS records are already cached.  It does not really show you this in the Test E-Mail AutoConfiguration tool, but Netmon never lies!  In addition Outlook 2013 also introduced the feature of caching the last successful URL.

The below is an example of Outlook 2010 running on the same machine, as the user above.  Note that with Outlook 2010 there is a single HTTP redirect query which consists of a question and answer.  The destination IP is an external IPv4 address 157.244.217.  This IP is shown in the Nslookup results above.

Outlook 2010 Network Monitor HTTP Traffic

Outlook 2013 has two separate queries. 

Note that you can see Outlook 2013 querying for an HTTP redirect to an internal IP in this example 10.0.0.8 which is the IP of the CAS.  Then 5 seconds later it does the same external HTTP redirect check that Outlook 2010 performed above.  The HTTP 302 redirect is also highlighted in the bottom section

Outlook 2013 Network Monitor HTTP Traffic

 

To filter out unwanted junk, the following Netmon filter was used to filter out two unwanted process from the results leaving the remaining HTTP traffic displayed:

HTTP and  !(ProcessName == "WaAppAgent.exe") and !(ProcessName == "WindowsAzureGuestAgent.exe")

Netmon Filter Used To Filter Out Multiple Process

 

Outlook Diagnostic Logging Reference

It is also possible to see the Autodiscover flow through Outlook diagnostic logging.  To apply the change, Outlook must be restarted.  The logs are kept in the %TEMP% folder, and we are interested in the olkdisc.log file.  I use the %TEMP% variable as that removes having to consider where that user’s temp location is.  On the above test machine it is currently C:\Users\User-1\AppData\Local\Temp\3.  Using %TEMP% is way easier!

An excerpt from this test account shows:

 
  Autodiscover to https://autodiscover.tailspintoys.ca/Autodiscover/Autodiscover.xml Failed (0x800C8205)
  Autodiscover to https://TailspinToysCanada.mail.onmicrosoft.com/autodiscover/autodiscover.xml starting
  AutoDiscover doing Pre-Auth with saved data.
  AutoDiscover PRE-AUTH pcreds->dwAuthScheme:
    <NONE>
  GetLastError=12007; httpStatus=0.
  Autodiscover to https://TailspinToysCanada.mail.onmicrosoft.com/autodiscover/autodiscover.xml Failed (0x800C8203)
  Autodiscover to https://autodiscover.TailspinToysCanada.mail.onmicrosoft.com/autodiscover/autodiscover.xml starting
  AutoDiscover doing Pre-Auth with saved data.
  AutoDiscover PRE-AUTH pcreds->dwAuthScheme:
    <NONE>
  GetLastError=12029; httpStatus=0.
  Autodiscover to https://autodiscover.TailspinToysCanada.mail.onmicrosoft.com/autodiscover/autodiscover.xml Failed (0x800C8203)
  Local autodiscover for TailspinToysCanada.mail.onmicrosoft.com starting
  Local autodiscover for TailspinToysCanada.mail.onmicrosoft.com Failed (0x8004010F)
  Redirect check to http://autodiscover.TailspinToysCanada.mail.onmicrosoft.com/autodiscover/autodiscover.xml starting
    Autodiscover URL redirection to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Autodiscover to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml starting
    AutoDiscover doing Pre-Auth with saved data.
    AutoDiscover PRE-AUTH pcreds->dwAuthScheme:
      <NONE>
    GetLastError=0; httpStatus=401.
    GetLastError=0; httpStatus=401.
    AutoDiscover disabled auth schemes:
      <NONE>
    AutoDiscover supported auth schemes:
      Basic
    AutoDiscover attempting Exchange Credentials.
    User-1@Tailspintoys.ca
    AutoDiscover USING pcreds->dwAuthScheme:
      Basic
    GetLastError=0; httpStatus=302.
    Autodiscover to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml Failed (0x800C8204)
      Autodiscover URL redirection to https://pod51042.outlook.com/autodiscover/autodiscover.xml
      Autodiscover to https://pod51042.outlook.com/autodiscover/autodiscover.xml starting
      AutoDiscover doing Pre-Auth with saved data.
      User-1@Tailspintoys.ca
      AutoDiscover PRE-AUTH pcreds->dwAuthScheme:
        Basic
      GetLastError=0; httpStatus=200.
      Autodiscover XML Received
 

 

For more details on Outlook diagnostic logging please see KB 2862843 — How to enable global and advanced logging for Outlook 2010 and Outlook 2013.

 

Cheers,

Rhoderick

Comments (41)

  1. turbomcp says:

    Thanks a lot
    most comprehensive article I have seen to date

  2. turbomcp says:

    Rhoderick ,
    I got quick question
    from my understanding in hybrid where the on premises is 2010 and the hybrid servers are 2013 the SCP record needs to point to the most updated version of exchange and that is Exchange 2013 correct?
    Thanks in advance
    big time fan

  3. That would be correct. For a single Autodsicover namespace, that should point to the latest version of Exchange.

    Cheers,
    Rhoderick

  4. turbomcp says:

    thanks
    externally I knew it needs to be the hybrid server ofcourse but internally there aren’t any documentation for this…
    I know theoretically 2010 should be able to answer these requests for internal clients but wasn’t sure what’s the best practice.
    Thanks

  5. Aadi says:

    Apt and perfect article….

  6. Anonymous says:

    Ran into an issue where this Outlook 2010 SP2 client, build 14.0.7113.5000, was throwing up unexpected

  7. Rhoderick, thanks for laying out the process clearly. It’s a great resource to point people to when explaining how things need to be set up.

    I have an environment I’m working on that has an issue with delays. Internal workstations can configure a profile quickly, but external workstations take about 6 minutes to complete a profile configuration or to run test-email autoconfig. When I use ExRCA,
    it takes about 63 seconds. A good 40 seconds are waiting for the query to "domain.com/autodiscover/autodiscover.xml" to time out before querying the proper "autodiscover.domain.com" record. My "test email autoconfig" process looks a lot like yours, but has
    a full page of additional attempts to "domain.com/autodiscover". Do you see a significantly different result when you run your tests from a non-domain-joined system external to the LAN?

  8. Hi Dave,

    To what/where does your domain.com DNS resolve to? Is it a website at a hosting provider, a SharePoint site or something like that?

    Cheers,
    Rhoderick

  9. Best thing I like about your blogs is the detailed description. This is simply great. Thanks, I now will simply direct my guys to this article when they have an issue with Autodiscover.

  10. Techno Music says:

    Hi Rhoderick,
    I am aware that there is now a feature when using set-hybridconfiguration a single domain name can be nominated for all autodiscovery lookups in an hybrid infrastructure, therefore no need for additional DNS records and expensive cert. However I fail to see
    the value in this? Wont on-premise users already require autodsiscover records for primary email addresses and these will already be stamped on a public certificate. So where is the savings with this autodiscovery feature?
    Regards
    T

  11. Eriq VanBibber says:

    For an application developer or script writer using the EWS Managed API 2.0, would it be safe to forego some of the discovery and preset the URL to
    https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc?

    In testing, there’s a remarkable difference in duration. The work to discover the enpoint involves a lot of timing out due to bad assumptions (like domain.com from a user’s email addres joe@domain.com).

    The concern is how durable is "autodiscover-s.outlook.com"?
    What is the difference between "autodiscover.outlook.com" and "autodiscover-s.outlook.com"?
    Why does the resolved url have the "-s" in the name?

    Regards,
    Eriq

  12. Stefan K says:

    I have noticed autodiscover process slow dramatically after enabling modern authentication for Office 2013 for MFA. But strangely it affect only VPN connections – it may take up to 5 mins for Outlook to start

  13. robsealock says:

    It would be fantastic if you could include in this article how a non-domain joined outlook client is processed and how/when/where authentication to AutoD is achieved.

  14. andrew stevens says:

    Thumping good read

    Well done!

  15. Mitchell Earl says:

    I get an Autodiscover URL redirection from https://autodiscover.ourdomain.com/autodiscover/autodiscover.xml to https://remote.ourdomain.com/autodiscover/autodiscover.xml on our SBS 2011 server. Is this the reason it won’t connect externally? Is there a way to prevent the redirect?

    1. More than likely. I don’t do SBS, but you should be able to set this up using the SRV record option.

      Using the regular autodiscover.contoso.com may be possible — would be best to look at the SBS TechNet forums for that.

      Cheers,
      Rhoderick

  16. Sachin Arora says:

    Awesome Article Rhoderick!

  17. Tom says:

    Thanks,

    very good article!
    But how to configure autodiscover if we have exchange hybrid and also migrating data from Zimbra or Google Mail? These AD users don’t have attributes like targetaddress, exchangeguid, legacyexchangedn and so on…

    Thanks in advance

    1. You need to have those attributes in Hybrid Tom. Do you have Exchange deployed on-premises?

      If not, then that is not Hybrid.

      Cheers,
      Rhoderick

      1. Tom says:

        Hi Rhoderick,

        yes the attributes are available but still empty for users are migrated from Google Apps to O365.
        I think I have to Enable-RemoteMailbox for each user, set the msExchRemoteRecipientType “4” and the targetaddress for routing and autodiscover.

        Thank you!

        1. Hi Tom,

          So in this case the users were migrated straight to 365? I assume that you do have Exchange deployed on-prem. is that the case?

          Cheers,
          Rhoderick

  18. Marc says:

    Hi Rhoderick, I’m migrating from Exchange 2010 to Exchange 2013 running Server 2012 R2. I thought I had everything migrated over to Exchange 2013. As I test, I turned off the Exchange 2010 server and wanted to see what is broken before I uninstall it for good.

    When the Exchange 2010 server is off, all my Outlook 2007 clients receive popup message asking for the credentials. I made sure the Outlook clients have SP3 and the November cumulative update. When I attempt to enter the credentials it doesn’t work. When I perform a Test Auto Email Configuration in Outlook, I get the following errors. FAILED (0x800C8203), httpStatus=401, FAILED (0x80040413), and FAILED (0x8004010F). I tried created split DNS on my local DNS server to resolve the domain name internally, however that didn’t fix the problem. I also tried creating a local SRV record for _autodiscover but that didn’t work either. I was going to uninstall the CAS server role on Exchange 2010 to see if that fixes it, but wasn’t sure if that would break something else. Once I turn the Exchange 2010 server back on, everything is working again. I really appreciate you taking the time to read this and any advice you can give me to resolve my problem.

    Thanks,

    1. Hi Marc,

      You have a single Autodiscover namespace internally I assume? The SCP objects were updated, and all point to the Exchange 2013 servers?

      Cheers,
      Rhoderick

  19. Ravi says:

    Hi Rhoderick ,

    I got quick question which could be silly or not very relevant.

    If I have cloud only user in the same tenant with e-mail address matching to that of on prem SMTP address.
    How does autodiscover works in such scenario ?

    Thanks,
    Ravu

  20. Mihai D. says:

    excellent article. thank you for your time in writing this. I hope you can give me an idea about a situation i have encountered.
    I manage a hybrid configuration that i did not setup, but i inherited. We have 7 domains, a.com ( a.com is the primary domain) ,b.com, etc. and a.net . I have an issues that i can’t seem to put my finger on it.
    Sometimes, even joined domains machines give a certificate warning connecting to autodiscover.a.net, but a.net is not the autod domain. i have run the HCW to confirm that autodiscover is only for the autod domain. I have checked the on-prem configs, i have checked the DNS entries i do not find anything related to autodiscover.a.net . SCP entries are correct i doubled checked them. I do not find any reason why DOMAIN joined domains are trying to access autodiscover.a.net. THis issue is fixed by itself. It appears at random times, sometimes multiple times a day, sometimes not at all. we also have a SRV record for a.com domain.

    Can you give me some pointers on what else to check ?

    Thank you for your time.

  21. Nellybauer says:

    Thanks for the very informative article. We have a hybrid enviornment & have recently migrated all users over to Exchange Online, so are now looking to create new users straight into O365 to save having to create an on-prem mailbox & migrate it. We are creating new users, setting the email address fields appropriately, letting them sync via AADC, then adding an O365 licence to the user once synced. This works great in that the user then has a mailbox created in Exchaneg Online which we can then login to via OWA. The issue is Outlook fails to connect as Autodiscover fails. So, if we force our account creation scripts to add the TargetAddress to be the ourdomain.mail.onmicrosoft.com, should that then mean that Autodiscover starts to work?

    1. Have you looked at enable-remotemailbox cmdlets ?

      Cheers,
      Rhoderick

  22. Nailed it, impressive. I am going to use the way you built that table explaining logs vs. comments in my next posts 🙂

    1. Glad you found it useful 🙂

      Cheers,
      Rhoderick

  23. Karen says:

    Hi Rhoderick,
    This is a great article. (very clear and easy to follow) .

    Do you know if there is a similar article for an environment that is just Office 365? (We have an issue that I suspect is firewall related, and I’m trying to figure out what URLs we should meet along the way. If we can’t access one of the URLs that would explain why auto-discover is failing internally but not externally.)

    Thanks

    1. Hi Karen,

      If there are no Exchange servers on-premises, then this article should apply but ignore the SCP bit since you do not have that

      https://blogs.technet.microsoft.com/rmilne/2011/10/21/exchange-the-autodiscover-web-service/

      If you have split DNS, check that the relevant records were also created in the internal zone.

      Cheers,
      Rhoderick

  24. WECAN Login says:

    Hey nice post. I hope it’s alright that I shared it on my Facebook, if not,
    no problem just let me know and I’ll remove it. Regardless keep up the good work.

    1. Linking and sharing is awesome!. Sharing with a preamble and the content intro is also totally fine.

      Please do not copy and paste the entire article though. I will ask for that to be changed.

      Cheers,
      Rhoderick

  25. Thank you for the article Rhoderick.

    There is one thing that bugs me regarding the HTTP redirect method in multi-tenant scenarios: in my multi-tenant environment, when the HTTP redirect occurs, clients are prompted with a certificate warning. I know I can suppress it, that’s not the issue. However, when a similar HTTP redirect occurs to Office 365, no warning is displayed, it just happens.

    How is a multi-tenant HTTP redirect infrastructure configured by me different from that of Office 365? Why is it that O365-hosted mailboxes don’t generate a cert warning when autodiscover is HTTP-redirected?

    Thank you.

    1. Hi Zoltan,

      Are you asking how to suppress the AutoD prompt on the user’s Outlook client?

      Cheers,
      Rhoderick

      1. Hi Rhoderick,

        Thanks for the prompt reply.

        Correct. I know I can suppress it with a Reg hack as per https://support.microsoft.com/en-us/help/2480582/how-to-suppress-the-autodiscover-redirect-warning-in-outlook-2010-and-outlook-2013.

        Just wondering how it is done for O365 that Outlook trusts it out of the box and doesn’t prompt. I want my clients, inclusive mobile, to connect to their tenant mailbox without being prompted, just like they would to an O365 EOL mailbox.

        Is it hard-coded into Outlook to trust outlook.com FQDNs?

        Thanks,
        Zoltan

      2. Found half the answer. After installing Office and running Outlook for the first time, Outlook creates the autodiscover.hotmail.com and autodiscover-s.outlook.com Registry values in the RedirectServers key.

        I still don’t know how mobile devices get around the redirect warning.

        1. Yes – that’s correct Zoltan, those entries are written in to suppress the redirect.

          For the mobile clients, that is up to the device how it will deal with the prompt.

          Cheers,
          Rhoderick

  26. Mihai D. says:

    Hi Rhoderick,,

    Excellent article. I hope you can give me an idea about a situation i have encountered.
    We have a hybrid configuration. We have 7 domains, a.com ( a.com is the primary domain) ,b.com, etc. and a.net . I have an issues that i can’t seem to put my finger on it.

    Sometimes, even joined domains machines give a certificate warning connecting to “autodiscover.a.net” instead of the “autodiscover.a.com”, but a.net is not the autod domain. i have run the HCW to confirm that autodiscover is only for the autod domain “a.com”. I have checked the on-prem configs, i have checked the DNS entries i did not find anything related to autodiscover.a.net . SCP entries are correct i doubled checked them. I do not find any reason why outlook from a DOMAIN joined computer is trying to access autodiscover.a.net. This issue is fixed by itself. It appears at random times, sometimes multiple times a day, sometimes not at all. we also have a SRV record for a.com domain.
    At the time of this writing, there is one computer that exhibits this behavior every single day.

    Can you give me some pointers on what else i can check to see where this is coming from ?

    Thank you for your time.

    1. Hi Mihai,

      What version of Outlook is this please? Do you see differences between different Outlook versions and/or builds?

      Cheers,
      Rhoderick

      1. Mihai D. says:

        Hi.

        This issue happens on outlook 2013/2016 . But the current issue is on outlook 2016. I haven’t notice any difference on outlook builds, but i will check that as well.

Skip to main content