x

Agile Insider Blog

Disable or Change MSSTD Mutual Authentication in Exchange 2007 Outlook Anywhere Autodiscovery

Learn more about our On-Prem Exchange Consulting.
———
While use can use multiple names in the SAN (Subject Alternative Names) field of Exchange 2007 UCC Certificates, you will be prompted multiple times (with no success) if there is a mismatch between the primary “Issued To” name and the external fully qualified name.  OWA and Windows Mobile Phones typically works OK with the configured certificates, even though Outlook 2007 autodiscovery will never let you successfully authenticate.

For Example, you have an internal Exchange 2007 server named internal.company.local, the clients connect externally to OWA/RPC over HTTP using FQDN mail.company.com, and you wanted to do it right and include autodiscover.company.com for ease of use with external Outlook Anywhere/Windows Mobile auto configuration outside your firewall.

So when you requested the certificate from a Certificate Authority that supported SAN, you included all the names and made the internal server name (internal.company.local) the primary “Issued To”…and you included all the above three urls in the SAN.

Test to see if this is actually the problem by modifying the Outlook Anywhere RPC over HTTP settings either uncheck or change the value (which defaults to the external url mail.company.com) to your primary “issued to” certificate address  in this case msstd:internal.company.local.  This occurs whether you use Basic or NTLM authentication.

Note – While this might work for a moment, Outlook will automatically update and overwrite the server settings back to to default as Outlook Anywhere settings refresh TTL is 1 hour.  Since the server has a different setting, it will be overwritten on the client the next time the Outlook 2007 + client performs autodiscovery.

Fix: Set the correct Principle Name in PowerShell

From the Exchange Command Shell:

Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:internal.company.local

This will correctly set the Mutual Authentication to the correct value as documented in the screenshot above.

 

Alternate Fix – Disable MSSTD checkbox in Outlook Anywhere (not recommended) in Powershell

Set-OutlookProvider EXPR -Server $null -CertPrincipalName none

Verify the Setting

From Powershell, run the cmdlet Get-OutlookProvider:

[PS] C:Documents and SettingsAdministrator>Get-OutlookProvider  Name                Server              CertPrincipalName   TTL ----                ------              -----------------   --- EXCH                                                        1 EXPR                                    msstd:internal.c... 1 WEB                                                         4   [PS] C:Documents and SettingsAdministrator>

Learn more about our On-Prem Exchange Consulting.

Leave a comment

Learn More Today

Have questions or want to learn more about the services and solutions Agile IT has to offer?

Schedule a call with us today!

Schedule a Call
or

Request a Quote