How to Configure Certificate-Based Authentication for Exchange ActiveSync

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to use the Exchange Management Console and the Exchange Management Shell to configure certificate-based authentication for Microsoft Exchange ActiveSync.

Exchange ActiveSync supports several types of user authentication. By default, Exchange ActiveSync is configured to use Basic authentication. This transmits the user name and password in clear text. You can configure Exchange ActiveSync to use certificate-based authentication. This method uses a certificate on both the server and the device to validate the connection from the device to the server.

Note

If you plan to use Basic authentication for Exchange ActiveSync, we recommend that you use Secure Sockets Layer (SSL) for increased security. When you use Basic authentication together with SSL, the user name and password are encrypted before they are sent.

You can use the Exchange Management Console and the Exchange Management Shell to configure certificate-based authentication for Exchange ActiveSync. You can choose to support certificate-based authentication as an alternative authentication method or you can require certificate-based authentication. After you have chosen an authentication method, you can configure your mobile device by installing the digital certificate file on the device.

Note

   Not all devices support the installation of digital certificates in the trusted root certificate store. For more information about the trusted root certificate store and how to install digital certificates on Windows Mobile devices, see How to Install Root Certification Authority Certificates on a Windows Mobile-based Device.

Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

Procedure

To use the Exchange Management Console to configure certificate-based authentication for Exchange ActiveSync

  1. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

  2. In the result pane, click the Exchange ActiveSync tab.

  3. Select the Microsoft-Server-ActiveSync virtual directory.

  4. In the action pane, under Microsoft-Server-ActiveSync, click Properties.

  5. Click the Authentication tab.

  6. Clear the check box next to Basic authentication (password is sent in clear text).

  7. Click Require client certificates. Alternatively, to allow but not require client certificate authentication, you can click Accept client certificates.

  8. Click Apply to save your changes, or click OK to save your changes and close the Microsoft-Server-ActiveSync properties dialog box.

To use the Exchange Management Shell to configure certificate-based authentication for Exchange ActiveSync

  • Run the following command:

    Set-ActiveSyncVirtualDirectory -Identity :"ExchSrvr\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled:$false -ClientCertAuth:"Required"
    

For more information about syntax and parameters, see Set-ActiveSyncVirtualDirectory.

For More Information

For more information about certificate-based authentication for Exchange ActiveSync, see the following topics: