How to configure autodiscover for multiple domains using one SSL certificate


You may need to configure autodiscover for multiple domains, but only wish to maintain one SSL certificate. Or you may need to provide autodiscover for a domain which does not match the SSL certificate you have. This article describes how to do this. You will need the following:

1) Spare IP address. You need an IP address that IIS can listen to that will not respond to SSL.
2) A valid SSL certificate which is being used for delivering autodiscover already. So you would need https://[domain].tld/autodiscover/autodiscover.xml or https://autodiscover.[domain].tld/autodiscover/autodiscover.xml already working. This article does not describe how to get the initial one working.

Autodiscover requests are mostly restricted to valid SSL connections, though there are some email clients that don't require this. So clients will fail to autodiscover if the SSL certificate does not match the URL, or is otherwise invalid. Unfortunately, client applications may not indicate that this is case, and just ignore the failure and request you to enter the server details manually. For instance, some Android clients, after entering the email address and password during account confirmation, may just display the manual account details for entry. This indicates that the autodiscover failed - a successful autodiscover will not ask for confirmation of server or login details.

While autodiscover is mostly restricted to SSL, the actual email connection may not be SSL. Clients are generally more forgiving of the SSL certificate as well, and may just prompt you for confirmation of a certificate when connecting to the server to get email.


One time steps to set it up:

1) Create an A record for a domain on the server, it does not matter what it is, but it is easier to make it meaningful, such as redirect.[domain].tld, and have it one that you won't need to change, so not a customers domain that may move. Point this A record to the spare IP address.
2) Create a new website under IIS.
3) Create a site binding to the A record which was created, and to the spare IP address you have. Listen only on port 80. You do not want the domain answering to any SSL requests, as this will generate an SSL warning.
4) Redirect the site using a 302 HTTP Redirect to the full SSL autodiscover URL you have working on the server.

When you wish to add a new domain to be autodiscovered:

1) Create a CNAME record in your DNS for autodiscover.[domain].tld to point to the A record you created earlier.

When users now try to autodiscover their settings, they will not be warned that the SSL certificate does not match, but they will be asked if they want the website to configure their server settings.

Class:HOWTO: Product Instructions
Revised:Thursday, September 26, 2019