Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication

6/2/2010

Certificate-based authentication is an advanced security feature that can be used to meet more stringent security requirements. If SSL basic authentication does not meet your security requirements and you have an existing Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the certificate-based authentication feature in Exchange ActiveSync.

This appendix outlines the requirements and process for deploying Exchange ActiveSync certificate-based authentication. Complete instructions and the deployment tool can be downloaded from the Tools for Exchange Server 2003 Web site at https://go.microsoft.com/fwlink/?linkid=55032.

Configuring the Firewall for Certificate-based Authentication

ISA Server 2006 has a new feature that can end the SSL connection from the mobile device, authenticate a client connection, and then use Kerberos constrained delegation to the Exchange Server 2003 SP2 front-end server. This is an improvement because traffic can be inspected at ISA and then passed to the Exchange 2003 front-end server for processing. Earlier versions of ISA Server required that SSL tunneling be set up. This made it necessary for the Exchange back-end server to end the SSL connection, authenticate the user, and process the request.

Software Requirements for Certificate-Based Authentication

The following is required for enabling Client Certificate-base Authentication for Windows Mobile 5.0 with MSFP and Exchange Server 2003 SP2:

  • Windows Server 2003 (running in Windows Server 2003 Domain Functional Level)
  • Windows Server 2003 Certification Authority running Web-based enrollment
  • Exchange Server 2003 SP2 (Front End and Mailbox Servers)
  • Windows XP SP2
  • Microsoft Desktop ActiveSync® version 4.1 or later. Download from The Add-ons for ActiveSync at https://go.microsoft.com/fwlink/?linkid=75423.
  • Windows Mobile 5.0 with Messaging and Security Feature Pack

Downloading the Certificate Enrollment Tool

The Exchange ActiveSync Certificate-based Authentication tool can be downloaded from the Tools for Exchange Server 2003 Web site at https://go.microsoft.com/fwlink/?linkid=55032, and consists of a folder that contains the following items:

  • EASAuthUploadXMLtoAD.vbs   The VBScript file that uploads the XML configuration file to Active Directory.
  • EASCertAuthSampleXML.xml   The sample XML configuration file.
  • Software license terms.rtf   Microsoft Software License Terms.
  • Cert_based_Auth.doc.doc   The user documentation (this file) for the tool.
  • RapiConfig.exe   A desktop configuration tool that enables the execution of provisioning XML on a Windows Mobile-based device or an emulator that is connected by using Exchange ActiveSync.
  • QryCertReg.xml   The XML file that is used as a parameter in RapiConfig.exe that indicates whether the mobile device is getting the configuration from Active Directory.

System Requirements for the Certificate Enrollment Tool

The following operating system and applications are required for the correct operation of the tool.

  • Windows 2000 Server SP4 or later versions or Window Server 2003 SP1 (recommended)

Important

There are problems when you try to run the Exchange ActiveSync Certificate-based Authentication tool in a non-English version of Windows Server 2003. For a description and workaround, see the Microsoft Knowledge Base article 927471, "The Exchange ActiveSync Certificate-based Authentication (EASAuthUploadXMLtoAD.vbs) tool returns an error when you use it in a non-English version of Windows Server 2003," at https://go.microsoft.com/fwlink/?linkid=3052&kbid=927471.

  • Microsoft Exchange Server 2003 Service Pack 2
  • Messaging and Security Feature Pack for Windows Mobile 5.0
  • Active Directory
  • Internet Information Services (IIS)
  • Microsoft Desktop ActiveSync 4.1 or a later version. Download from Windows Mobile Downloads and Programs at https://go.microsoft.com/fwlink/?linkid=37727
  • Windows certification authority (CA) running the Web-based enrollment feature

Steps to Enable Certificate-Based Authentication

To enable Certificate-based Authentication between a Windows Mobile 5.0 MSFP device and Exchange Server 2003 SP2, there are three core areas that must be configured.

  1. The Exchange Server 2003 SP2 front-end server to accept Certificate-based authentication for the Exchange ActiveSync virtual directory.
  2. Kerberos constrained delegation between Exchange Server 2003 SP2 front-end and back-end servers.
  3. Certificate enrollment XML in Active Directory.

If you have a firewall or reverse proxy, such as an ISA server, there are additional configuration steps required.

Configuring Exchange Server 2003 Front-End Server

Exchange ActiveSync in Exchange Server 2003 SP2 relies on the built-in authentication mechanism of IIS 6.0 for both Basic and Client Certificate-based authentication.

Follow these steps to enable Client Certificate-based authentication on the Exchange Server 2003 SP2 front-end server.

  • Configure secure communications with SSL

Note

We recommend that you use an SSL certificate issued from a well-known Certification Authority to avoid having to install the corresponding Trusted Root Certificate on the mobile device.

  • Configure the Exchange ActiveSync virtual directory to accept Client Certificate-based authentication

Configure Kerberos Constrained Delegation

You must configure Kerberos constrained delegation between the Exchange Server 2003 SP2 front-end and back-end servers.

Adding Service Principal Names

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The Kerberos authentication service can use an SPN to authenticate a service. For Kerberos constrained delegation to work between the ISA 2006 server and the Exchange Server front-end and back-end environment, and between the Exchange Server front-end and back-end servers, additional SPN entries are required.

Configure Servers to be Trusted for Delegation

For Kerberos constrained delegation to work, the Computer object entries in Active Directory must be configured to be Trusted for Delegation. The Exchange front-end server must be able to delegate Kerberos tickets to the Exchange back-end server.

Note

If your topology will include Internet Security and Acceleration (ISA) Server 2006, you will also need to configure the ISA 2006 server to be able to delegate Kerberos tickets to the Exchange front-end server.

Configure Windows Mobile Certificate Enrollment

You will need to set up Active Directory to be able to process client certificate enrollment requests made by Windows Mobile 5.0 MSFP devices The steps include the following:

  • Configuring Active Directory with the relevant Windows Mobile Certificate enrollment information
  • Enrolling for a new client certificate by using Desktop ActiveSync.

Overview of Certificate Enrollment Configuration

The IT configuration steps and application actions involved in certificate enrollment are as described in the following table.

Task or activity What occurs Outcome

Use the certificate enrollment tool.

The administrator creates the device certificate enrollment configuration XML from the sample XML that is provided with the tool download. Then, the sample XML is uploaded to Active Directory using the Microsoft Visual Basic® Scripting Edition (VBScript) file that was provided with the tool download.

The device certificate enrollment XML that is customized for the users' IT environment is available in the correct Active Directory location. See "Uploading the XML to Active Directory," for more information.

Deploy Desktop ActiveSync 4.1 or later to user desktops.

Desktop ActiveSync 4.1 or later is installed on the user's corporate computer.

The user can cradle the device, thereby connecting it to the corporate network and enabling it to perform the certificate enrollment steps noted below.

Configure device.

The device is connected through Desktop ActiveSync 4.1 or later to the users' corporate desktop, to enroll.

The Desktop ActiveSync application downloads the configuration XML from Active Directory.

Desktop ActiveSync "pushes" the XML to the Windows-based mobile device over the USB Remote API (RAPI) connection.

During the setup of the device and desktop partnership, the user is prompted to enter his or her corporate username, password, and domain. To add these credentials to the device to enable enrollment, the Save the password check box must be selected.

Note:
After the enrollment has been attempted one time, the username, password, and domain information are purged from the memory of the device. These items are used only for one attempted enrollment.

The XML is processed into registry settings that you can use for the certificate enrollment operation.

Attempt at initial synchronization.

The device tries an initial server synchronization.

Synchronization fails.

This step occurs by design because the client tries to use Basic authentication password authentication. However, the server requires certificate authentication so it returns an HTTP 403 error to the device. The error indicates that a certificate is required for authentication.

Enroll certification.

The device initiates certificate enrollment using the saved Exchange ActiveSync username, password, and domain, combined with the certificate enrollment configuration.

A connection is made to the Windows Certificate Services Web server that is specified in the enrollment configuration.

Enrollment is processed using a Windows 2000 Server or a Windows Server 2003 certification authority (CA) that is running the Web-based enrollment feature.

Note:
If authentication fails because the password is incorrect, the user can retry, but he or she must enter the password on the device. If authentication fails because a bad username or domain was entered, the Exchange server settings on the mobile device must be deleted and then re-created.

Attempt at subsequent synchronization.

Receives the certification context from the Certificate Enrollment API. ActiveSync tries to re-authenticate to the Exchange front-end server that uses the returned certificate.

Certificate-based authentication continues to work after the certificate enrollment step has been processed.

The same process is used to enroll for a new certificate if the certificate is deleted or expires.