Outlook cannot connect to an Exchange server that uses certificate validation on a network device

Applies to: Outlook 2019Outlook 2016Outlook 2013

Symptoms


After you configure a network device to require certificate validation between Microsoft Outlook and Microsoft Exchange Server 2019, 2016, or 2013, you experience connection failures in Outlook clients.

Note The network device can be a load balancer or another network device, as described in Certificate Selection and Validation.

This problem occurs especially if the network device is configured to require the client to present a certificate during the SSL handshake in the network layer instead of passing the traffic directly to the server that is running Exchange Server.

Cause


This issue occurs because Outlook does not support using the Windows certificate store as a credential. Outlook uses the Windows Credential Manager to provide credentials to servers.

Resolution


To configure certificate authentication in Outlook 2016 and later versions, we recommend that you use Modern Authentication. For more information about how to enable Modern Authentication, see the following articles:

Enable Modern Authentication in Office 365

Configure on-premises Exchange to use Hybrid Modern Authentication

More information


Outlook supports connecting directly to Smart Card Authentication by using a physical smart card or a TPM chip-embedded virtual smart card for each user.

Certificate-based authentication is supported for OWA and ActiveSync clients, but not in Outlook that is running on Windows. For more information, see the following articles:

Configure Smart Card Authentication for Outlook Anywhere in Exchange Server

Demystifying Certificate Based Authentication with ActiveSync in Exchange Server