Configure certificate-based authentication for Exchange ActiveSync

re: Configure certificate-based authentication for Exchange ActiveSync

Johnathan — Mon, 31 Dec 2012 19:41:10 GMT

It seems that in our testing the cert does not have to be published back to the user account, only the Subject / SAN name have to include the email address. We have an MDM pushing the Cert with SCEP/NDES and it writes all the certs back to the MDM's account. So it looks like it doesn't matter which account it is written back to. Does that seem like a security flaw? or am I over thinking it?

re: Configure certificate-based authentication for Exchange ActiveSync

Fred — Mon, 03 Dec 2012 14:54:52 GMT

In the article you mention that UAG also supports CBA for ActiveSync. Has something changed? UAG doesnt currently support CBA for EAS - Is this functionality being added in the Service Pack 3 for UAG release?

re: Configure certificate-based authentication for Exchange ActiveSync

ahwc — Fri, 30 Nov 2012 19:08:00 GMT

thanks for the article, will this work if the Forefront TMG gateway has TLS renegotiation disabled?

re: Configure certificate-based authentication for Exchange ActiveSync

Bharat Suneja [MSFT] — Thu, 29 Nov 2012 18:58:46 GMT

@Ronald den Os:

- The TMG whitepaper linked in this post is from 2010.
- TMG will continue to be supported for years. See the TMG support lifecycle.
- As stated in the beginning of this particular post: "In this post, we will discuss how to configure CBA for EAS for Exchange 2010 in deployments without TMG or UAG."

re: Configure certificate-based authentication for Exchange ActiveSync

Bharat Suneja [MSFT] — Thu, 29 Nov 2012 18:53:36 GMT

@Anonymous: We've pinged the Windows 8 Mail team, will update the previous post (Supporting Windows 8 Mail in your organization) with the info.

re: Configure certificate-based authentication for Exchange ActiveSync

Bharat Suneja [MSFT] — Thu, 29 Nov 2012 18:51:11 GMT

@Benoit Boudeville: Thanks for catching that - fixed.

re: Configure certificate-based authentication for Exchange ActiveSync

Thu, 29 Nov 2012 13:00:48 GMT

What if you dont use Active Directory Integrated CA. That is, if you use Standalone CA or Public CA? check out this solution: refikunver.wordpress.com/.../problem-exchange-active-sync-with-certificate-authentication-does-not-work-with-standalone-ca

re: Configure certificate-based authentication for Exchange ActiveSync

Andreas Helland — Thu, 29 Nov 2012 09:21:10 GMT

You're right - it is problematic in deed.

Android, iOS and Windows Phone all support client certs for EAS by now. But how you get the certificate onto the device varies:

Android can use /certsrv.

iOS can use iPhone Configuration Utility to enroll.

Windows Phone 7.x can install a pfx file. (I have not tested whether WP 8 works with /certsrv yet, but it should support pfx as well.)

There's more details on this over at my blog:

mobilitydojo.net/.../certsrv-vs-mobile-devices

mobilitydojo.net/.../client-certificates-in-android-ice-cream-sandwich

Using MDM there are different approaches depending on how the vendor has chosen to implement it, but in general it will be easier for the end-user with MDM.

There's also a test utility on my blog if you like to test client certs auth and troubleshoot:

mobilitydojo.net/downloads

re: Configure certificate-based authentication for Exchange ActiveSync

Benoit Boudeville — Thu, 29 Nov 2012 09:13:06 GMT

Good article, however the SPN to add for the Exchange 2003 server is "HTTP/serverFQDN", not "HTTP://serverFQDN". You may also consider adding the shortname as it's a common practice even though probably not required.

re: Configure certificate-based authentication for Exchange ActiveSync

Ronald den Os — Thu, 29 Nov 2012 08:16:38 GMT

Why publish all those TMG whitepapers when Microsoft discontinues the product this week? Doesn't make any sense...