broken by design
From a basic security perspective this 'feature' should be disabled by default, and be a complete and utter nightmare to enable. It is so flawed it was probably designed to be that way by a gagged FISA court order.
1st problem is that the client tries to connect to the root domain and works it's way back to where it's domain is.
So does autodiscovery. respond ? yes/no ? If No then try maybe try autodiscovery.com. or autodiscovery.fr. or autodiscovery.uk. (depending on which domain name the client is in).
OK well then move back one level closer to where you are.
2nd problem is that the server can respond in basically plaintext and tell the client "I'm sorry I have no idea what that encrypted gibberish you are trying, can you just base64 encode the username and password (plaintext basically) and send them to me, we will try that"