Comments on: Personal Certificates and Exchange ActiveSync

By: Andreas

Andreas — Tue, 29 Nov 2011 21:48:42 +0000

Loading xml files on the device like this is a Windows Mobile specific thing.
iPhone supports client certificates, and some Android devices do as well, but how you enroll the certificates for these operating systems would require a different approach.

By: Steve

Steve — Tue, 29 Nov 2011 17:36:59 +0000

Can this work with Android and iPhone devices as well?

By: Andreas

Andreas — Fri, 15 Jan 2010 19:23:49 +0000

Not to my knowledge. ActiveSync can only handle one authentication type. Part of the point in moving to certificates is getting rid of the password which in addition to the security perspective also is annoying from a user perspective The certificate is separate from the password attribute so when using a certificate ActiveSync will not have any knowledge of expiration dates on the password.

If you want to handle certificates in a more strict manner you can edit the template and set the validity to less than 1 year (which is the default). You can also look into enrolling separate certificates for the device and have this checked/verified at the edge (on something like ISA server) although this requires some extra work (read: coding or buying third-party apps). You can also put the Exchange server behind a VPN tunnel that requires username/password, but I would discourage you from doing this. (It’s not a good user experience if you experience drops in connections, and it will consume extra battery.)

Combining some of the above you could go for SCMDM as a device management solution, but that’s a lot of extra work if you do not need an MDM solution

By: Prashant Singh

Prashant Singh — Fri, 15 Jan 2010 08:16:41 +0000

Hi, Is there a way to have both password and client certificate enabled so as to double up the security. I would like to have the password re-entered on device if the AD password changes.

By: Andreas

Andreas — Sat, 14 Nov 2009 13:49:27 +0000

With client certificates you do not have to re-enter your password on the device. By default a user certificate will have a valid period of one year, which means you must re-enroll every year, (and possibly use the password when doing this), but other than that the password is no longer an issue.

By: GS

GS — Sat, 14 Nov 2009 06:11:51 +0000

So if I configure windows mobile device to use certificates (self-signed or 3rd party), user will not be asked to enter new password to re-initiate sync after user change password for his/her domain account? This is based on a scenario where user’s domain account password has to be reset every 90 days.
I am trying to determine if there is an alternative to entering new password in the mobile device every 90 days.

Thanks,
GS

By: Deepak Kumar

Deepak Kumar — Wed, 08 Apr 2009 02:57:54 +0000

Thanks for publishing.