Outlook Certificate Errors – Mismatch & autodiscover
13th November 2019
What is the issue?
What is causing this?
autodiscover.domain.com (if it was your domain.com email account that is was looking at)
Normally the “autodiscover” website will give it the instructions needed. This is how some email clients automagically configure themselves.
Often these are set as CNAME DNS entries for things like autodiscover.outlook.com
If the “autodiscover” subdomain doesn’t exist – and most of the time we don’t really need it to exist – if the email domain is only for just a few users and a few machines, and not for 1000’s of users with dozens of new machines every day) – then Outlook can’t find autodiscover.domain.com and that’s the end of the story. No error. No problem. It fails silently in the background.
However if there is a match-anything entry in the DNS that points at customer’s webhosting. e.g. *.domain.com A record points at domain.com website
Then this means that
- foo.domain.com points at the web hosting
- something.domain.com points at the web hosting
- sausage.domain.com points at the web hosting etc
- and – the relevant one: autodiscover.domain.com points at the web hosting
However – usually the web hosting (especially cheap web hosting) doesn’t know what to do with an incoming request for autodiscover.domain.com – so it just serves up it’s default security certificate. Which is labelled as *.extendcp.co.uk (as an example)
and the SSL certificate for *.extendcp.co.uk doesn’t match the one Outlook asked for (autodiscover.domain.com) and that mis-match is what is giving the error / warning in Outlook.
We often find that these errors start appearing on email accounts that have been fine for months / years – and when we dig into it, we find that the domain registrar has been changed or somehow the DNS has been amended by a third party – and although they were careful to replicate the MX records, they put in an A record wildcard where there wasn’t one before.
There are 2 options to fix
- Is remove the wildcard for domain.com – so that only www.domain.com A record points at the webhosting
- Is to create working / valid thing for autodiscover.domain.com
Option 1 is probably the most suitable in cases of small numbers of users. Larger numbers of users Option 2 is more sensible.
There are 2 things we need to resolve this using Option 1.
a. We need to be sure which email account is generating the error
b. We need access to the DNS management of the relevant domain to make the amend needed. This amend is to remove the DNS wildcard and have only the www. A record entry pointing at the web hosting.
Option 2 fix:
- open notepad as administrator
- open c:/windows/system32/drivers/etc/hosts
- You need to add an entry to the hosts file in following format:
- 127.0.0.1 autodiscover.domain.com
- Save hosts file (it doesn’t have a file extension)
This fixes the issue in Outlook relating to autodiscover certificate mismatch errors.
How? the machine looks at itself for the autodiscover record & certificate. Gets no answer, fails silently.
But you have to repeat that on all the users machines. And manual additions to the hosts file is / should be an absolute last resort.