Exchange 2010 FAQ: Do I Need Autodiscover Names in the SSL Certificate?

Question: Do I need to include the Autodiscover names for all of my domain names in my SSL certificate?

I’ve had a few questions lately about Autodiscover and Exchange 2010 SSL certificates. The questions are usually along the lines of:

  • Do I need to add the Autodiscover name to my SSL certificate?
  • Do I need an Autodiscover name for all of my SMTP domains in my SSL certificate?

Both questions can be answered easily once you understand the basics of Autodiscover.

Put simply, Autodiscover is a service hosted on Client Access servers that Outlook 2007 and 2010 clients can use to automatically discover information about the Exchange environment.

An example of Autodiscover in action is when a mailbox-enabled user launches Outlook 2007/2010 for the first time and the Outlook profile is automatically configured with the correct Exchange server name for that mailbox user.

For internal, domain-joined clients this involves looking up the Autodiscover SCP (Service Connection Point) for the AD Site that the user’s computer is in. Or if no SCP exists for that site the SCP in another site will be used. This is configurable and is known as Autodiscover site scope.

The SCP is returned as a URL. This URL will be one of the Client Access servers in the organization, and will look something like this:

Get-ClientAccessServer | fl name,autodiscoverserviceinternaluri

Name                           : ESP-HO-EX2010A
AutoDiscoverServiceInternalUri :

So for an internal, domain-joined computer the SSL certificate must include the name (or names, if more than one exists) for the Client Access servers in the organization that a client will be discovering via that SCP lookup.

Externally connected clients are different, because they can’t lookup the SCP in Active Directory from outside of the network. These clients might be roaming laptop users with Outlook, or they might be ActiveSync capable smartphones such as iPhones. In either case they will attempt to connect to Autodiscover by performing a DNS lookup for “autodiscover.smtpdomainname”.

For example an iPhone user setting up their Exchange mailbox will enter their email address (eg, user name and password. The iPhone will then attempt to autodiscover the Exchange server by looking up “” in DNS. If it can resolve that name it will then connect to to retrieve Exchange server information.

So for an externally connected client the SSL certificate must include the name, or optionally the “” name if you don’t configure an “autodiscover” name (though I recommend you do, as often the domain name on its own resolves to a different IP address such as the web server that hosts the company’s website). Naturally that name must also be in your public DNS zone.

Now that you can see that you need the “autodiscover.smtpdomainname” name in the Exchange 2010 SSL certificate the final question is whether you need to include autodiscover names for all of your SMTP domain names.

The answer is that you will only need an autodiscover name for each SMTP domain that a user is likely to enter as their email address (eg in the iPhone example above). So for most organizations this means any domain names that are used as primary email addresses for mailboxes. Any additional domains that may be legacy names from a previous company name or a merger can probably be left out of the certificate.


  1. says

    There is also a way to avoid using autodiscover in the URL by using a DNS SRV record to point autodiscover to a domain of your choosing. I do this all the time and it works great. However, though it works with Outlook 2007 and later well, various ActiveSync devices don’t seem to be smart enough to use this method and still require the server name to be entered manually (sadly, since this would be so easy to support!). It’s a great tip where you want to avoid the expense of a SAN certificate in favor of a single name cert (which also requires correct split DNS and the running of a script like this one on the Exchange server to properly set internal/external URLs–but it’s easy and works!).

      • Doug says

        Just thought I would add to this incase anyone comes across it. I think the guy was talking about the HTTP redirection method. Autodiscover will try HTTPS first and if it fails to locate on HTTPS will check HTTP for a redirect. If you use and perform the autodiscover test it will show that it tries autodiscover URLs on HTTPS and then performs a redirect check on HTTP. We had to implement the HTTP redirect method here as we have lots of domains and plan more so it didn’t make sense to keep buying SSL certs. Then if someone enters their email as or they get redirected to the main server which lives at

  2. TonyH says

    Dear Paul,

    I am confused on how OL2K7+ Ext Client can get Exchange Servers information when configure OA (RPC-Over HTTPS) for the OL2K7+ profile as we provide the below details:

    1- Server Name: :
    (Is this the CAS Server/CASArray internally FQDN or Exchange MB server)
    2- Exchange Proxy Settings>Connections Settings>Use this URL to connect to my proxy server for
    (Why we need this URL as OL2K7+ will check https://Autodiscover./Autodiscover
    /Autodiscover.xml to get the SCP which will provide Exchange servers details)
    Please correct me:
    O2K7+ >Autodiscover.MyExDomain.Autodiscover/Auto….xml>CAS Srv/or CAS Array>SCP>User Connect to its Exchange DB

  3. Jonathan says


    One thing about the internal uri, Within a CASArray where we have load balancing between 2 CAS servers, should the internal URI change on each CAS server from the http://(hostname).mydomain.local… to http://(casarrayhostname).mydomain.local?

    Also, this doesn’t need to be changed to match the external host address correct? It’s strictly internal correct as listed? I’m asking this because of external devices. Exchange only looks to this for internal clients correct? For external devices where does it find the external address within exchange. For instance where would I list as opposed to the internal uri autodiscover.mydomain.local?

    • Jonathan says

      Let me rephrase my last question. I’m not a very good proofreader. =P

      I found under the EMC the ActiveSyncVirtualDirectory internal and external URLs for activesync. So i guess my question is similar to the InternalURI. Is there an autodisocver ExternalURI required?

  4. Pooria says

    When I am trying to use Outlook anywhere I get all 3 security alerts however I have a certificate from third party and its working fine for OWA. So when I look at the certificate on outlook from outside of the domain it show that issued to localhost.localdomain, I was wondering if this is related to autodiscover ?

    Thanks in advance

  5. Pooria says

    I did and I got some errors, and from the outlook I test the connectivity it found the server and the autodiscover, but security alerts pop up. And the cert that outlook is using is expired so I am thinking I have to import the cert on the client maybe ?

    • says

      No you’ll need to investigate and fix the errors that the connectivity test tool identified.

      Outlook Anywhere is much more sensitive to certificate problems than OWA.

        • says

          Ok, so keep in mind that you know more about this case than me because I can’t see all the information end users are reporting and other details like that.

          What I’m recommending as a starting point is that you’ve got an Outlook Anywhere problem, and the connectivity test tool is giving errors for the Outlook Anywhere test, so you should start investigating and resolving those errors.

  6. Jared says

    Hi Paul,

    What if you use a SAN certificate and just wildcard the domain like “*”, BPA complains because it is a Certificate SAN mismatch but its not “technically” because it covers all sub-domains….but should it impact client connections? I’m currently running one and it seems work ok with activeSync and Outlook clients

  7. Jack Cristi says

    Hi Sir Paul,

    Please help me on this, it’s been 2 days configuring the autodiscover feature of exchange server 2013…

    When i run Remote Connectovity Analyzer, it said: Connectivity Test Failed.

    Attempting to test potential Autodiscover URL
    >>>Testing of this potential Autodiscover URL failed.

    Attempting to test potential Autodiscover URL
    >>>Testing of this potential Autodiscover URL failed.

    Attempting to contact the Autodiscover service using the DNS SRV redirect method.
    The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.

    Attempting to test potential Autodiscover URL
    >>>Testing of this potential Autodiscover URL failed.

    Thank you so much!
    Jack Cristi

    • says

      You are leaving comments in multiple places on my site about this same issue which is not helpful. I can only answer as fast as I am able to. If you have a serious problem requiring a faster response you should contact Microsoft support.

      Now, if you are running the RCA tests and they are failing, you need to look closer at the results to see exactly *why* they are failing. Expand the “Test Steps” to see whether the test failed because of DNS name resolution, or firewall issues, or certificate issues, or something else.

  8. Carol Ostos says

    Hey Paul, we got a problem with Autodiscover and Good Mobile, we are setting up Good for Enterprise (EWS version instead of the MAPI version). We seem to be having difficulties when adding handhelds (provisioning devices).

    Good Support recommends to create a CNAME for, we are a multi domain company with trust between domain, there is already a CNAME for autodiscover in our company in our top domain, do you think we would need to create an alias in our child domain as well?

    Apologies if this is too silly but just dont whether it would cause problems since Autodiscover works just fine with Outlook, Out of Office, Free Busy, etc

    Thanks for your help!

    • says

      Generally speaking you should only need autodiscover names for domains that have users with SMTP addresses that use that domain name. But I don’t know if Good behaves differently and needs other autodiscover records, eg to match UPNs. I guess that is something their doco should cover in more clarity.

      Autodiscover can also fail due to SSL cert validity/trust issues, even when you get the DNS right.

      • Carol Ostos says

        Thanks for your reply Paul! We realized Good for Enterprise EWS version required a minimum of Exchange 2010 SP2 RU4 so we rolled back and installed the MAPI version, no issues with that version.

        Will keep your comments in mind for when upgrading Exchange and maybe then upgrade GFE to the EWS version.

  9. Cody says

    I’m not sure I like the SVR name record method of handling autodiscover. That causes a pop-up for the user. Most people try to avoid anything that may be perceived as an error.

    I think I’ll create a CNAME record pointing my other SMTP domains to my main autodiscover and just include those SMTP name spaces on the UCC cert.

  10. Ivan says

    Hi Paul!

    If you have some time will you suppose about my case?

    My outlook auto configuration is working, but on the stage “Search for server setting” (see your outlook screenshot) I’m getting login/password challenge from my Exchange 2010sp3 server.

    A window appears where login field is set to UPN (e.g. Then I change it to mydomain\username, enter the password and auto configuration succeed.

    I wonder why does my server force me to enter credentials the second time?

  11. Neal says

    ok. So I have a certificate for server.mydomain,com which I use for OWA internally and externally and this is installed to my Exchange server. OWA works fine.
    What I hear you saying is that I need a separate certificate for OA. Ok BUT how can I configure two certificates ( and ) within Exchange ?
    Both the virtual websites installed as Default can only be bound to only one SSL certificate

    I have external DNS set up for autodiscover and I have changed the External URL set to .

    so when the Outlook Client Connects I get a warning that certificate is not verified ! So it does work but the client is looking for even through the external URL is set to

    To sum up I have one certificate, I’ve set the External URL and Internal URL the same for OA and OWA
    i’m using the same cert for both becuase I can’t see how to install different certificates installed in Exchange. (I can’t see how)

    -It’s working it just gives the warning becuase its looking for
    – I have Port fowarding 443 firewall
    -Our website is hosted elsewhere so OA won’t resolve to “” Therefor I assume it resolves to autodiscover but
    -I am missing something.

    Thanks for your Blog

  12. Mkhumbi says

    Hi Paul,

    Given that only one certificate can be bounded to IIS, how then do I solve my case, I have 2 acceptable domains, and for instance and I have two SSL wildcard certificates for the domain. What’s happening is that I get certificate errors because I am only using certificate and users are configured with I have tried to use load balancer (KEMP) and install both certificate in there, still I receive the same results. Tried to create a separate IIS server for contoso, the OWA there works internally and externally with the rights certificates but still when configuring outlook with the other one it fails and when configured with the one working it will give errors regarding the other domain certificate. please assist.

      • Mkhumbi says

        Thank you Paul for your prompt response, I get your point but the issue I am having is that the two wildcard certificates are already in possession. I understand we could have easily got the UCC, (or SAN with all the domains) now that we have these two separate SSL wildcards certificate, is there a way to make it work or there isn’t? both of these domains are authoritative…

        • says

          As you’ve already discovered, only one certificate can be bound to the IIS website.

          So no, there’s no way to make it work.

          Invest the few hundred dollars in a SAN/UCC certificate, you will save yourself a lot of wasted time and energy by just doing it the right way.

  13. Faisal Khan says

    First of all, great work Paul! whatever I do on exchange server, your blog is always there to help me out; appreciate that very well.

    I have my exhange server setup as;
    External DNS for mail server:
    Acceptable domains in Exchange: &
    ServerName: MailServ01
    Local Domain: LDomain.local

    Now bearing this in mind, following are the SAN/UCC cert entries i can think of. Can you please confirm if they are correct.

Leave a Reply

Your email address will not be published. Required fields are marked *