With a wildcard cert, this is incorrect, and causes clients to be unable to authenticate. However, Exchange autodiscover doesn't actually look at the type of certificate installed, it just makes the assumption that the certificate principal name is the same as the server name. I think I've found the solution to this problem.Īpparently autodiscover does override the outlook client settings distributed by GPO.
I don't think it's group policy doing this, because it happens instantly on restarting outlook.
When the same computer is logged into the domain, the principal name reverts back to the incorrect value every time Outlook restarts. When a computer is not connected to the domain, if we manually change the principal name to the correct value and restart outlook, the correct value stays, and the user can connect successfully. When viewing the proxy settings in outlook, everything was correct except the cert principal name, which was changed from msstd:*. to msstd: I linked it to an appropriate ou, and checked some computers and found that Outlook had all the correct proxy settings, with one exception. Proxy Authentication setting: NTLM Authentication Only connect if Proxy Server certificate has this principal name: msstd:*. When we rolled out Outlook Anywhere, I downloaded and installed the Article-961112.adm package, and created a policy with the following settings: