I was working on a recent green field deployment of Exchange 2013 that ran into a client issue. The default authentication configuration of the Client Access Server (CAS) did not allow XP clients with Outlook 2007 to connect from outside the organization. Users on these machines would be prompted for credentials repeatedly even when the proper username/password was used, and a successful connection was never made.
We found there were three requirements in order for the XP clients to connect.
1. The Office 2007 clients had to have Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000). More information can be found here http://go.microsoft.com/fwlink/p/?linkid=3052&kbid=2687404
2. The EXPR Outlook Provider had to have the CertPrincipalName configured. In this case a wildcard existed in the common name of the certificate, so it was set to msstd:*.domain.com. More information on the Set-OutlookProvider command can be found here http://technet.microsoft.com/en-us/library/bb123683(v=exchg.150).aspx
3. Finally the authentication allowed for Outlook Anywhere clients had to be changed. The main issue seems to be a conflict between Exchange 2013 and XP clients on the understanding of Negotiate authentication. A number of forum post suggest switching the Exchange virtual directories to Basic Authentication, but this is a little heavy handed. In the end by just adding basic and NTLM authentication to the IIS section of Outlook Anywhere, XP clients were able to connect. The best part is that Outlook Anywhere itself still required Negotiate authentication, and the XP cleints were connecting with it, so the security of the environment was not affected.
The command used is below.
Get-OUtlookAnywhere | set-Outlookanywhere -IISAuthenticationMethods Basic,NTLM,Negotiate
In order for the changes to take affect an IISReset must be run on each CAS server.