"Mutual Authentication could not be established" error when using Remote Connectivity Analyzer to test Outlook Anywhere in Microsoft 365
Note
The Hybrid Configuration wizard that's included in the Exchange Management Console in Microsoft Exchange Server 2010 is no longer supported. Therefore, you should no longer use the old Hybrid Configuration wizard. Instead, use the Microsoft 365 Hybrid Configuration wizard. For more information, see Microsoft 365 Hybrid Configuration wizard for Exchange 2010.
Symptoms
Note
The following scenario only applies to Microsoft 365 customers who have a hybrid deployment of on-premises Exchange Server and Exchange Online.
When you use the Microsoft Remote Connectivity Analyzer tool to test the Outlook Anywhere feature in a Microsoft 365 environment, the tool displays the following error message:
Mutual Authentication could not be established.
Additionally, a user may experience the following symptoms:
The user is repeatedly prompted for credentials and can't connect to Exchange Online by using Outlook Anywhere.
The user receives the following error message when using Outlook 2010 or Outlook 2007 to create the Outlook profile automatically:
An encrypted connection to your mail server is not available. Click Next to attempt using an unencrypted connection.
Cause
This issue occurs if one or more of the following conditions are true:
- The common name does not match the mutual authentication (msstd:) string that's entered in the Remote Connectivity Analyzer tool.
- The mutual authentication string is valid. However, the
CertPrincipalName
attribute for the EXPR OutlookProvider object that's stored in Active Directory is invalid.
Note
The mutual authentication string equates to the Only connect to proxy servers that have this principal name in their certificate setting in the Exchange proxy settings in Outlook.
Resolution
To resolve this issue, follow these steps:
View the web server certificate that's installed on the hybrid server, and confirm the common name to which the certificate was issued (for example,
mail.contoso.com
).Open the Exchange proxy settings in Outlook, and check that the fully qualified domain name (FQDN) in the Mutual Authentication Principal Name field is entered correctly (for example, msstd:
mail.contoso.com
).If it's necessary, run the following cmdlet by using Exchange Management Shell to change the
CertPrincipalName
attribute:Set-OutlookProvider EXPR -CertPrincipalName:"msstd:mail.contoso.com"
More information
The Remote Connectivity Analyzer tool negotiates a Secure Sockets Layer (SSL) connection to the remote host to retrieve various properties on X509 certificates. The tool evaluates the Subject
attribute to identify the FQDN or common name that was assigned to the certificate (for example, mail.contoso.com
).
For more information about the principal names, see Principal Names.
For more information about Outlook providers, see:
Still need help? Go to Microsoft Community or the Exchange TechNet Forums.