In a project we noticed a strange Outlook AutoD behaviour. We had setup a SCP and all clients were DOmain joined. So all Clients should only do SCP lookups. But then we noticed the following:
- Some users were complaning about certificate popups
- the webserver Team found > 100k failed requests for root.tld/autodiscover/autodiscover.xml and www.root.tld/autodiscover/autodiscover.xml
We did a lot of testing (including fiddler) and we saw that parallel to the successfull SCP Lookups the clients were also trying to connect to root.tld/autodiscover and autodiscover.root.tld. Depending on the domain they were using (company is using different top level domains) they got certificates warnings or the requests reached a webserver and were failing there.
Obvious solution, allthoug the addtional lookups shouldn’t happen anyway, is to disable the root domain and the autodiscover root domain lookups through registry or gpo (https://docs.microsoft.com/en-us/outlook/troubleshoot/domain-management/unexpected-autodiscover-behavior). But surprise, this didn’t change anything.
So we opened a support ticket with Microsoft and after a lot of research they gave us the solution. Add a registry key:
Add Reg_Dword: EnableEASAccountCreation = 0
You still need to configure the ExcludeHttpRedirect, ExcludeHttpsAutoDiscoverDomain and ExcludeHttpsRootDomain Values, but now they are working.