ActiveSync Autodiscover URL

A peculiar situation... an iPhone refused to setup an exchange account and every time you try an error comes up: Unable not verify account information. It turned out to be a simple typo, but not by the user! A typo that could easily be overlooked given the tools we generally troubleshoot with. Here's how things panned out...

After entering in the user credentials in an exchange account setup, it successfully discovers the mail server, so autodiscover is working right. Click next, and the error pops up. Next step, can we access the mail server via Safari? Yes, so at least we know it can connect to the server in question.

As I don't have access to the exchange server configuration to verify settings from the server's side, I had to troubleshoot it from the end-user side only.

First off... packet tracing on an iPhone. { Technical Q&A QA1176 for detailed instructions }

You'll need Xcode 4.2 or later installed and an iOS 5.x device with its USB cable.

  • Check your existing network interfaces by running ifconfig -l in Terminal.
  • Get your device identifier by connecting the iOS device with USB, run Xcode and click on Window > Organiser then select the device. Look for the identifier value.
  • Next type this command rvictl -s your-identifier-here
  • If you run ifconfig -l again, you'll notice a new interface rvi0
  • Then do sudo tcpdump -i rvi0 -s0 -w ~/Desktop/trace.pcap
  • Perform the failing exchange account setup on the device, once done stop the tcpdump by pressing ctrl+c in terminal

Using WireShark I opened up trace.pcap to analyse. The packet trace revealed that the device connects using SSL/TLS and then proceeds on to normal un-secure http traffic. Something it's not meant to do. The username/password was also sent in cleartext as a result of the un-secure communication.

Next port of call was Microsoft's tool www.testexchangeconnectivity.com with which I used the same credentials, only to find that I get green tick marks all over the place. Usually a good result!

I attempted the setup on another iOS device, however that resulted in the same error.

Going back to Microsoft's tool, I checked out the results thoroughly and found something that could very easily be overlooked, something Microsoft's tool won't even point out as a potential problem!

Autodiscover's whole point is to return a mail server to the device based on your smtp domain, in other words whatever is after the @ sign in your email address. In the iOS interface we only see that mail server as mail.pretendco.com. However, what autodiscover actually returns is a full URL such as http://mail.pretendco.com/Microsoft-Server-ActiveSync ....wait that's not right... yes... there's that typo!!! It should be https://mail.pretendco.com/Microsoft-Server-ActiveSync

What happens on iOS is that the returned URL from autodiscover also determines whether or not your iOS device will communicate using a secure connection. If that URL shows http://, it will go ahead in an un-secure fashion resulting in the error. To fix it, the exchange admins had to simply correct http to https and all was well again.

Bottom line: while Microsoft's exchange connectivity tool is really great to test/troubleshoot with, don't always just blindly trust those green tick marks.

Thoroughly check those autodiscover URLs!

Notes: This article is based on the assumption that the exchange mail server utilise secure communication and does not allow un-secure connections. Allowing un-secure connections to your exchange services is bad practice.