Background on the SRV autodiscover method
Outlook can use different methods to find the autodiscover response - see here. One of these methods uses an SRV record such as _autodiscover._tcp.domain.com to provide the hostname of your Exchange server such as mail.litwareinc.com. The Outlook client then retrieves the autodiscover XML file using the URL https://mail.litwareinc.com/autodiscover/autodiscover.xml. As you can see, there is no HTTPS connection made to https://autodiscover.domain.com and therefore there is no need for this name on the certificate.
In this demonstration, we have an Exchange 2013 and 2016 server in the organization. The accepted domains are below:
Our certificate only has a single name - mail.litwareinc.com and all virtual directories, our Service Connection Points (AutodiscoverServiceInternalUri) and Outlook Anywhere hostnames/URLs are all configured to use mail.litwareinc.com.
Create the SRV records
For more information on how to create SRV records, see here. For our domains, we need to create the same SRV record in each of the forward lookup zones on our internal and external DNS servers. The SRV record we need is below:
Port Number: 443
Confirm that the SRV records are set up correctly using nslookup
Run the below commands to check that the SRV record is created correctly:
server 10.2.0.10 (this needs to be one of your internal DNS servers)
Repeat the above test but set the server to a public DNS server such as 220.127.116.11 so that you can check your public SRV records are created successfully.
Remove the autodiscover.domain.com A records
Outlook clients will attempt to connect to https://autodiscover.domain.com/autodiscover/autodiscover.xml before they attempt the SRV method. This will cause certificate errors as this name is not on the certificate. To prevent this, you need to remove the A records below:
To test autodiscover, we’ll use a mailbox that only has an email address in the litwareinc-marketing.com domain. If the computer is joined to the domain then it will use the SCP which is mail.litwareinc.com and this should work. In this case, we want to test the SRV method so our computer needs to either be in a workgroup or outside the corporate network. In this case, it is inside the corporate network but is in a workgroup.
Below I’ll demonstrate that autodiscover works by creating a new Outlook profile:
We receive a notification that we will be redirected to https://mail.litwareinc.com/autodiscover/autodiscover.xml to configure server settings. To prevent being prompted for this, select the “Don’t ask me about this website again” checkbox:
As you can see above, our Outlook profile has now been autoconfigured successfully.
Note that using this method means that your users will need to use https://mail.litwareinc.com/owa for Outlook Web Access and that mobile devices need to be configured using mail.litwareinc.com.