If I can get round this without giving users 'log on locally' rights to my Exchange server(also a DC!) then I'll be happier. The fact that basic authentication works for clients external to my LAN makes me think that this can't just be a 'log on locally' issue.