Autodiscover configures clients for IMAP

Question

I have a single Exchange 2010 server whose autodiscover service had previously worked fine (correctly configured RPC-over-HTTP) when I had a non-wildcard certificate. After I replaced the certificate with a wildcard certificate, the autodiscover service keeps configuring new clients as IMAP. This is definitely not the desired behavior. I have already applied the Set-OutlookProvider command to change the trusted name to msstd:*.mydomain.com. TestExchangeConnectivity.com says that everything is fine, with only a single warning about the Trusted Root Update on older Windows machines. Yet autodiscover is clearly not working. What can I do / why might autodiscover configure IMAP rather than RPC-over-HTTP?

Edit: By the way, when I configure the account manually and specify HTTP proxy settings for all connection speeds, it works fine. The only sketchy thing is during the Check Name portion, it does not want the DOMAIN\user format but just the full, actual name.

Edit 2: Autodiscover response below:

<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>J Shin</DisplayName>
<LegacyDN>/o=mydomain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=J Shin</LegacyDN>
<DeploymentId>e8362375-54d7-471c-acd9-7e5116e4810e</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>myserver.corp.mydomain.com</Server>
<ServerDN>/o=mydomain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=myserver</ServerDN>
<ServerVersion>738280F7</ServerVersion>
<MdbDN>/o=mydomain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=myserver/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://myserver.corp.mydomain.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://myserver.corp.mydomain.com/EWS/Exchange.asmx</OOFUrl>
<OABUrl>https://mail.mydomain.com/OAB/84798c85-90d3-45fc-a67e-72d928e57ae6/</OABUrl>
<UMUrl>https://myserver.corp.mydomain.com/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>myserver.corp.mydomain.com</PublicFolderServer>
<AD>EMDDC21.corp.mydomain.com</AD>
<EwsUrl>https://myserver.corp.mydomain.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://myserver.corp.mydomain.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.mydomain.com</Server>
<ASUrl>https://mail.mydomain.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://mail.mydomain.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://mail.mydomain.com/OAB/84798c85-90d3-45fc-a67e-72d928e57ae6/</OABUrl>
<UMUrl>https://mail.mydomain.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<CertPrincipalName>msstd:*.mydomain.com</CertPrincipalName>
<EwsUrl>https://mail.mydomain.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://mail.mydomain.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://myserver.corp.mydomain.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://myserver.corp.mydomain.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://mail.mydomain.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.mydomain.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>

Answer 1

I wish I had answered this sooner, since I've forgotten some of the details in how I solved this (mainly through trial and error) - so take this answer with the approprite grain of salt in case I am not remembering correctly. Here's what I did:

1. Regenerated a CSR for my wildcard certificate using Exchange rather than IIS7.5
2. Obtained the new certificate and confirmed it worked in other places where it was being used
3. Changed both internal and external URLs to the public name (mail.mycompany.com)
4. Created an internal DNS record for mail.mycompany.com to point to an interface only accessible from inside (not the one that gets the NATted traffic from the WAN)
5. Verified that the DNS resolution works as expected (I get the internal IP from inside and the external IP from outside)
6. Reset all IIS Exchange authentication settings to the defaults provided by Microsoft
7. Allowed NTLM authentication for RPC-over-HTTP
8. Changed autodiscovery settings in PowerShell to reflect the previous changes
9. Changed autodiscovery settings to prefer RPC-over-HTTP always
10. Verified the issue was gone by attempting to use autodiscovery to connect to my mail server.

One hiccup was that when authenticating from outside (ie, not through SSO), I had to instruct users to provide their username in the MYCOMPANY\username format.