This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 1%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER6%3C/text%3E%3C/svg%3E)
Hello,
I want to better understand the autodiscover process when using a CNAME. I have some assumptions, but are they correct?
First scenario:
-autodiscover.mydomain.com is a CNAME and points to autodiscover.subdomain.mydomain.com (reverse proxy with certificate)
-The certificate must have autodisciver.mydomain.com as the subject name, right? Because this is the address which is requested. The autodiscover.subdomain.mydomain.com doesn't have to be included in the certificate?!
So the flow would be: Outlook queries autodiscover.mydomain.com and gets the IP address of autodiscover.subdomain.mydomain.com. Outlook connects to this IP and gets the certificate for autodiscover.mydomain.com and can post the request.
Second scenario:
-autodiscover.mydomain.com is a CNAME and points to autodiscover.outlook.com
-The certificate will not have any of my autodiscover names included.
Here, the process would be: Outlook queries autodiscover.mydomain.com and gets the IP address of autodiscover.outlook.com. Because port 443 is not listening there, outlook checks for redirect options and is redirected to autodiscover-s.outlook.com. Because this is a redirect, the requestet hostname now is autodiscover-s.outlook.com and the certificate name only must match this address.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 20%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAX%3C/text%3E%3C/svg%3E)
Hi anonymous user ,
It's been a while, is there any update?
If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer. Your action would be helpful to other users who encounter the same issue and read this thread.
If autodiscover.subdomain.mydomain.com is what the cname is pointing to, then autodiscover.subdomain.mydomain.com has to be subject name ( or a widlcard) on the cert the client connects to that represents that FQDN.
in your second scenario, Microsoft has a cert with that subject name ( or wildcard in this case) set to that endpoint
Okay thanks, I always thought that a CNAME will only tell the client the IP address of the target system by maintaining the original name.
E.g., domain.com CNAME points do domain2.com - client would try to connect to domain.com and gets the IP address of domain2.com and therefore, domain.com must be in the SSL certificate because that's the original name to connect to.
Yea, the Cname will refer to the host its referring to , then the DNS lookup will be against that host.
so domain2.com would need to be on the cert.
Typically you add all those subject names to one cert.
or use a wildcard...
This is strange. I just did a small test.
cname.mydomain.com points to anotherwebsite.com, which has a valid certificate for that name. However, when I browse to cname.mydomain.com I get a certificate error.
is that on the cert subject name ? cname.mydomain.com ?
No, it's not. That was my initial question. Does the CNAME (cname.mydomain.com) have to be present on the certificate on the target system (anotherdomain.com).
From your answers I understood, that this doesn't need to be the case.
Ok, sorry if I wasnt clear. I was focused on the what the CNAME was pointing to - ensuring that subject name is on the cert. In these scenarios, you def want all the possible name(s) on the cert or use a wildcard including the CNAME and the what the CNAME is pointing to.- if you control it of course. othrwise, if your autodiscover is pointing at Mcirosoft, then all you need is the initial CNAME on your cert, it gets resolved to 365 outlook and they own that cert.
Sorry, if that wasnt clear.
Maybe I also didn't explain well. But thanks, now I understand. So just to come back to my first post regarding the more special autodiscover scenario: because Microsoft won't have the customers autodiscover names on their certificate, how does this work?
Is this due to the HTTP redirect (because port 443 is not listening on autodiscover.outlook.com)? Because some Microsoft autodiscover URLs are also ncluded under the "redirect servers" in Windows registry.
It should simply resolve in DNS and contact the CNAME that is being pointed to.
In the event it tries to contact the on-prem servers and they are not accessible on 443, it will try each of these URLs listed in the linked doc below:
However, with a CNAME ,it really shouldnt:
There is more info on the CNAME recommendation here:
https://learn.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover?view=exchserver-2019#autodiscover-in-dns
Note:
Outlook 2016 and above will favor connecting to Exchange Online first: (Direct Connect)
You can change that behavior:
ExplicitO365Endpoint
So by default, the on-prem Autodiscover is not consulted.