Outlook can't connect to an Exchange server that uses certificate validation on a network device

Original KB number:   4488049

Symptoms

After you configure a network device to require certificate validation between Outlook and Exchange Server 2019, 2016, or 2013, you experience connection failures in Outlook clients.

Note

The network device can be a load balancer or another network device, as described in Certificate Selection and Validation.

This problem occurs especially if the network device is configured to require the client to present a certificate during the SSL handshake in the network layer instead of passing the traffic directly to the server that is running Exchange Server.

Cause

This issue occurs because Outlook doesn't support using the Windows certificate store as a credential. Outlook uses the Windows Credential Manager to provide credentials to servers.

Resolution

To configure certificate authentication in Outlook 2016 and later versions, we recommend that you use Modern Authentication. For more information about how to enable Modern Authentication, see the following articles:

• Enable Modern Authentication in Microsoft 365
• Configure on-premises Exchange to use Hybrid Modern Authentication

More information

Outlook supports connecting directly to Smart Card Authentication by using a physical smart card or a TPM chip-embedded virtual smart card for each user. Certificate-based authentication is supported for Outlook Web App (OWA) and Exchange ActiveSync clients, but not in Outlook that is running on Windows. For more information, see the following articles:

• Configure Smart Card Authentication for Outlook Anywhere in Exchange Server
• Demystifying Certificate Based Authentication with Exchange ActiveSync in Exchange Server