Comments on: Securing Exchange ActiveSync with Client Certificates – LAN Access

By: Andreas

Andreas — Sat, 12 Nov 2011 13:28:18 +0000

Well, ok, then the 403 would indeed be caused by failing client certificate authentication.
iOS devices have good support for client certs so they usully work nicely once they’re configured. Android can be a hassle with client certs (as they’re not supported in the native EAS client). Are you using a third-party ActiveSync client? TouchDown from Nitrodesk supports it, and the newer Samsung support it (you don’t get to configure it without MDM though). Ice Cream Sandwich should bring native support for client certs. So I can’t really tell why it’s failing on your Android devices without knowing more.
As for why it doesn’t work with my utility..that’s on my table I have tested my utility quite extensively against both Exchange 2007 and 2010 with and without a ForeFront TMG in front. Do you have the client cert as a pfx file with a private key? And password protected? Does my utility give any errors indicating it’s not able to read the certificate? (I assume you are using the latest version of EAS MD.) Is your Exchange server configured to require both username/password and a client cert, or only certificates? Is the username in user@domain.com or domain\user format?
Try to remove the fake device from OWA (if it’s present) and re-attempt to sync.

By: TheGeekCook

TheGeekCook — Fri, 11 Nov 2011 15:42:27 +0000

Thanks for your response Andreas. The 403 error occurs on your utility and Android devices. The Android devices would work only if the Exchange 2010 is set to “ignore client certificate”. There’s also no rules to govern which device can log on. We even allow non-provisioned devices.
A client certificate is needed but I’ve tried the certificate on the utility and android without any success.
I don’t know what else to check.

By: Andreas

Andreas — Fri, 04 Nov 2011 09:26:17 +0000

If iOS devices are working your ActiveSync setup should be good in general – does the 403 error only occur with my utility or also with Android devices (if you are able to test this)? The 403 error indicates that for some reason you aren’t allowed to use the service, even though it’s most likely up-and-running. Do you know if the Exchange Server is running any kind of filters as to which devices are allowed? Or does it require client certificates perhaps? A reverse proxy in front performing additional checks?
Is this Exchange 2007 or 2010?

By: TheGeekCook

TheGeekCook — Tue, 01 Nov 2011 18:26:35 +0000

I keep getting this error using the utility. I have SSL and certificate both checked. But all iPhones and iPads are ok. Is it normal?

Testing HTTP GET:
Response: The remote server returned an error: (403) Forbidden.
Explanation:
The server requires SSL and will not let you connect over HTTP.
(For instance trying to connect over HTTP while IIS requires SSL.)
Status: Further action required
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Testing HTTP OPTIONS:
Response: The remote server returned an error: (403) Forbidden.
Explanation:
The server requires SSL and will not let you connect over HTTP.
(For instance trying to connect over HTTP while IIS requires SSL.)
Status: Further action required

By: Andreas

Andreas — Wed, 04 May 2011 10:46:13 +0000

It could be that your server is more tightened security-wise than my lab environment But of course in a production environment one should be doing so, so it’s a useful tip (will insert it into the article).
Haven’t gotten round to testing Moxier – I usually prefer to not having to resort to third-party utils/sw for what I consider basic functionality. (In my opinion the lack of proper Exchange support on Android is something Google should be ashamed of.)
But unless S/MIME & client certs support shows up in the Samsung Galaxy S II (I mean – the Gingerbread ROM for the S is promising) I’ll eventually have to test Moxier or TouchDown properly.

By: Garrett

Garrett — Tue, 03 May 2011 20:01:52 +0000

Couldn’t get it working until I ran the following commands:

appcmd unlock config /section:clientCertificateMappingAuthentication
appcmd set config “Default Web Site/Microsoft-Server-ActiveSync” -section:clientCertificateMappingAuthentication /enabled:true

I kept getting 401.2.

I’m using Moxier Mail on Android which does support client certificates as well as S/MIME signing and encryption.

By: Andreas

Andreas — Mon, 28 Mar 2011 19:48:08 +0000

The client in the case of the mobile devices is the TMG server, or a similar solution. The certificate is what proves the identity of the mobile device, but TMG needs to be a member of Active Directory to use Kerberos Constrained Delegation.

There are differences between the mobile operating systems as to what format they like their certificates in, but both Windows Mobile and iPhone are happy to use pfx files whereas Android prefers it as a p12 (which can be just a renamed pfx file if you like). The details of how to import them and use them is also slightly out of scope for this article – as I’ve said before in a number of articles. You will need to do testing before using client certificates, but once you get it working it’s real nice

By: Kenny

Kenny — Mon, 28 Mar 2011 17:14:36 +0000

The documentation to which one is referred for client certificate mapping authentication says that for using AD authentication, both the server and client have to be members of an Active Directory domain. For the testing that might work, but the mobile devices are not going to be members of the/a domain. Is this an issue with client certificate mapping authentication using Active Directory?

By: Kenny

Kenny — Fri, 25 Mar 2011 21:25:16 +0000

I did finally get the certs created as outlined in the article I referenced earlier, but I’m not sure I know how to import/enroll them.

By: Kenny

Kenny — Fri, 25 Mar 2011 20:29:29 +0000

I was looking forward to following your guidance but it seems I’m a few steps behind. For client certificates, I wanted to create self-signed certs. I attempted using OpenSSL For Windows, mostly following the info at http://serverfault.com/questions/168580/creating-client-certificates but when it came to step 6 to sign the client certificates “with the CA cert” I never have gotten the openssl.cfg file right do get it to open the ca.key.

Can you refer me to better guides to create certs for mobile devices or do you have any comments that might provide guidance so I can get to the point of testing with your emulator program?

Thanks.