How to solve issues with Exchange's Autodiscover (xml) and any peculiar clients like Windows Communication Apps [HxTsr.exe] with complex DNS config?

Solution 1:

Tips

  • Do create an extra test account.
  • Use https://testconnectivity.microsoft.com/tests/Eas/input as sanity check.
  • This test https://testconnectivity.microsoft.com/tests/O365Eas/input is smarter, but did not mimic the problematic client's behaviour.

Solution

I used Cloudflare DNS, added a forwarding rule to forward this particular non-existent resource:

https://apexdomain.tld/autodiscover/autodiscover.xml

to

https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml

This shortens the autodiscovery chain significantly. (Confirmed by the Microsoft's tool.) Therefore, it also limits the number of things that can go wrong.

The problematic client now shows the modern authentication window very quickly as desired.

Notes

  • I disabled the Cloud worker delivering 404 for https://apexdomain.tld/autodiscover/autodiscover.xml, though I left it working for https://www.domain.tld/autodiscover/autodiscover.xml even though I do not see the chain getting there anymore. The only reason this URI was visited is because of the apex to www. forwarding rule. So I just figured out it can remove this route too ;), but for the record of test case, it has been active during the test.
  • I don't know if Cloudflare Rules take priority over Cloudflare Worker routes. You should configure them xOR anyway.

I find the complexity of autodiscover troublesome. Much can go wrong. Ironically the autodisover mechanism is so complex, one could create a autodiscovery's autodiscover config to automatically load where to start the autodiscovery for a particular domain. :/

  • Just before posting, I found a reference in the auto-search box to following post. The creative poster has encountered similar problems, including the 443 port error and a similar solution, just a different location (reverse proxy).

It perplexes me the post didn't show up in my google results, but I am happy to see some of our observations and resolutions overlap. ^^

Sources

https://practical365.com/fixing-autodiscover-root-domain-lookup-issues-mobile-devices/

https://www.datarepairtools.com/blog/autodiscover-not-working-while-connecting-to-office-365-account/

Related reading:

https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019#autodiscover-services-in-outlook