Error when you use the Remote Connectivity Analyzer tool to test Outlook Anywhere in an Office 365 environment: "Mutual Authentication could not be established"

Article translations Article translations
Article ID: 2710606 - View products that this article applies to.

Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
Expand all | Collapse all

PROBLEM

Note The following scenario only applies to Microsoft Office 365 customers who have a hybrid deployment of on-premises Exchange Server and Exchange Online.

When you use the Microsoft Remote Connectivity Analyzer tool to test the Outlook Anywhere feature in a Microsoft Office 365 environment, the tool displays the following error message:
Mutual Authentication could not be established.
Additionally, a user may experience the following symptoms:
  • The user is repeatedly prompted for credentials and can't connect to Exchange Online by using Outlook Anywhere.
  • The user receives the following error message when he or she uses Microsoft Outlook 2010 or Microsoft Office Outlook 2007 to create the Outlook profile automatically:

    An encrypted connection to your mail server is not available. Click Next to attempt using an unencrypted connection.

CAUSE

This issue occurs if one or more of the following conditions are true:
  • The common name does not match the mutual authentication (msstd:) string that's entered in the Remote Connectivity Analyzer tool.
  • The mutual authentication string is valid. However, the CertPrincipalName attribute for the EXPR OutlookProvider object that's stored in Active Directory is invalid.

    Note The mutual authentication string equates to the Only connect to proxy servers that have this principal name in their certificate setting in the Exchange proxy settings in Outlook.

SOLUTION

To resolve this issue, follow these steps:
  1. View the web server certificate that's installed on the Exchange 2010 hybrid deployment server, and confirm the common name to which the certificate was issued (for example, mail.contoso.com).
  2. Open the Exchange proxy settings in Outlook, and check that the full qualified domain namd (FQDN) in the Mutual Authentication Principal Name field is entered correctly (for example, msstd: mail.contoso.com).
  3. If it's necessary, run the following cmdlet by using Exchange Management Shell to change the CertPrincipalName attribute:
    Set-OutlookProvider EXPR -CertPrincipalName:"msstd:mail.contoso.com"

MORE INFORMATION

The Remote Connectivity Analyzer tool negotiates a Secure Sockets Layer (SSL) connection to the remote host to retrieve various properties on X509 certificates. The tool evaluates the Subject attribute to identify the FQDN or common name that was assigned to the certificate (for example, mail.contoso.com). 

For more information about the principal names, go to the following Microsoft Developer Network (MSDN) website:
Principal Names
For more information about Exchange 2010 and Exchange 2007 Outlook providers, go to the following Microsoft websites:
The Autodiscover Service and Outlook Providers
Set-OutlookProvider
Still need help? Go to the Office 365 Community website.

Properties

Article ID: 2710606 - Last Review: May 31, 2013 - Revision: 6.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Microsoft Exchange Online
Keywords: 
o365 o365e o365p o365a o365m o365062011 pre-upgrade hybrid o365022013 after upgrade KB2710606

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com