Outlook 2007, Exchange with Wildcard Certificate

This blog will explain the possible issues that you may face when using wildcard certificate in Exchange 2010, especially during the upgrade from Exchange 2007 to Exchange 2010.


In this scenario we will use tailspin.com domain. The normal upgrade scenario is to implement and configure Exchange 2010 CAS with the wildcard certificate, then import the wildcard certificate on Exchange 2007 CAS, and the following will be applied:

1. mail.tailspin.com will point to the CAS 2010 server

2. legacy.tailspin.com will point to CAS 2007 server.

3. CAS2007 URLs will be changed to legacy.tailspin.com (OWA, ActiveSync, OAB, EWS), including Outlook Anywhere endpoint.

4. CAS 2010 URLs will be configured with mail.tailspin.com.


The migration process details will not be covered in this blog, so let’s see Outlook problems directly:

1. Outlook 2010 on Windows 7: everything will work perfectly fine with no problems.

2. Outlook 2007 before SP2: Out Of Office will not work internally using RPC until you apply Service Pack 3 and latest updates.

3. Outlook 2007 SP2 with Windows 7: will work internal by RPC and from Internet by Outlook Anywhere.

4. Outlook 2007 with Windows XP: Outlook RPC internally will work fine. Outlook Anywhere will keep asking about user name and password repeatedly and will not work.


The problem here that Outlook 2007 will check the value of msstd in the configuration of Outlook Anywhere:



And then Outlook 2007 will compare the msstd value with the common name value in the certificate, as we are using wildcard certificate this value will be *.tailspin.com. and as the value is not the same it will keep asking for credential and Autodiscover will not work.


The solution as mentioned in this article: http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspx is to use set-outlookprovider command as the following:

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.tailspin.com


This command will simply change the value of msstd populated by Autodiscover to *.tailspin.com, so Windows XP will find the same value as the common name value in the wildcard certificate.

This blog will focus on the client side behavior once applying this command, as explained before:

1. Anything on Windows 7 will work fine (Outlook 2007 and Outlook 2010).

2. Outlook 2007 with sP3 and Windows XP: Outlook RPC will work fine internally, autodiscover will update the msstd value to *.tailspin.com.

3. Outlook 2007 with SP3 and Windows XP: Outlook anywhere was as the above snapshot, and will keep prompting for user name and password, but because now the msstd value is the same as the common name, Autodiscover will work and will fix the profile but in order to have the new settings you will need to restart Outlook.


The following snapshot from Outlook using outlook anywhere after putting the user name and password first time, then click cancel after that:



In the above snapshot note that Autodisover changed msstd to *.tailspin.com, also note that Outlook is still need password.

Note also that Autodiscover didn’t update the Outlook Anywhere end point to legacy.tailspin.com (which is the normal behavior of Outlook), Outlook Anywhere will work fine because E2010 CAS will proxy to Exchange 2007.

If you want to change the Outlook Anywhere endpoint then you will need to repair the profile, so you will have the right endpoint. In our scenario because we don’t want the users to do any changes and because we will move the mailboxes and at the end all users will mail not legacy we just informed the users to open Outlook, put the username and password, then close Outlook and Open it again.


Now close Outlook and open it again, you will be asked for username and password (as normal basic authentication in Outlook Anywhere) and everything will work perfectly:



Note that now Outlook is connected through Outlook Anywhere, and OOF is working fine:




Last comment on this, if the client connected through RPC (internally) after adding set-outlookprovider command:

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.tailspin.com


Outlook will get the changes through Autodiscover and will change the msstd value to *.tailsping.com, and next time when the client is accessing from the Internet by OA everything will work fine.

So the expected behavior will be:

1. Start Outlook from Internet (OA) after the changes:

a. Users will be prompted for username and password (Windows XP & Outlook 2007).

b. Autodiscover will update the msstd value with *.tailspin.com.

c. Restart Outlook to the new settings to take effect.

2. Outlook will be started internally (RPC) after the changes:

a. Outlook will get the new value of msstd through Autodiscover.

b. No user name and password, everything will work fine on RPC.

c. When try OA after that everything will work because the msstd value is updated.


Having say so it will worth to note that Autodiscover works in the following conditions:

  • Every time that the application starts
  • At intervals on a background thread (every 60 minutes)
  • Any time that the client’s connection to an Exchange server fails


Which means if Outlook is already running during the changes, Autodiscover will modify the value based on the background thread (maximum 60 minutes after changes).