Configuring Authentication for Exchange ActiveSync
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2009-12-01
Authentication is the process by which a client and a server verify their identities for transmitting data. In Microsoft Exchange Server 2010, authentication is used to determine whether a user or client that wants to communicate with the Exchange server is who or what it says it is. You can use authentication to verify that a device belongs to a particular individual or that a particular individual is trying to sign in to Microsoft Office Outlook Web App.
When you install Exchange 2010 and the Client Access server role, virtual directories are configured for several services. These include Outlook Web App, the Availability service, Unified Messaging, and Microsoft Exchange ActiveSync. By default, each virtual directory is configured to use an authentication method. For Exchange ActiveSync, the virtual directory is configured to use Basic authentication and Secure Sockets Layer (SSL). You can change the authentication method for your Exchange ActiveSync server by changing the authentication method on the Exchange ActiveSync virtual directory.
This topic summarizes the authentication methods available for your Exchange ActiveSync server. For Exchange ActiveSync, the client is the physical device used to synchronize with the Exchange 2010 server.
Looking for management tasks related to Exchange ActiveSync? See Managing Exchange ActiveSync.
There are three primary types of authentication you can choose for Exchange ActiveSync: Basic authentication, certificate-based authentication, and token-based authentication. When you install the Client Access server role on a computer that's running Exchange 2010, Exchange ActiveSync is configured to use Basic authentication with SSL. To establish the SSL connection, certificate-based authentication requires a mobile device to have a valid client certificate installed that was created for user authentication. In addition, the mobile device must have a copy of the trusted root certificate from the server. If you choose token-based authentication, you'll have to work with the token vendor for configuration.
Basic authentication is the simplest method of authentication. With Basic authentication, the server requests that the client submit a user name and a password. That user name and password are sent in clear text over the Internet to the server. The server verifies that the supplied user name and password are valid and grants access to the client. By default, this kind of authentication is enabled for Exchange ActiveSync. However, we recommend that you disable Basic authentication unless you're also deploying SSL. When you're using Basic authentication over SSL, the user name and password are still sent in plain text, but the communication channel is encrypted.
Certificate-based authentication uses a digital certificate to verify an identity. Other credentials are provided, in addition to the user name and password. These prove the identity of the user who's trying to access the mailbox resources that are stored on the Exchange 2010 server. A digital certificate consists of two components: the private key that's stored on the device and the public key that's installed on the server. If you configure Exchange 2010 to require certificate-based authentication for Exchange ActiveSync, only devices that meet the following criteria can synchronize with Exchange 2010:
The device has a valid client certificate installed that was created for user authentication.
The device has a trusted root certificate for the server to which the user is connecting to establish the SSL connection.
Deploying certificate-based authentication prevents users who have only a user name and password from synchronizing with Exchange 2010. As an additional level of security, the client certificate for authentication can be installed only when the device is connected to a domain-joined computer through either Desktop ActiveSync 4.5 or a later version in Windows XP or the Windows Mobile Device Center in Windows Vista or Windows 7.
A token-based authentication system is a two-factor authentication system. Two-factor authentication is based on a piece of information the user knows, such as their password, and an external device that usually takes the form of a credit card or a key fob a user can carry with them. Each device has a unique serial number. In addition to hardware tokens, some vendors offer software-based tokens that can run on mobile devices.
Tokens work by displaying a unique number, typically six digits long, that changes every 60 seconds. When a token is issued to a user, it's synchronized with the server software. To authenticate, the user enters their user name, password, and the number that's currently displayed on the token. Some token-based authentication systems also require the user to enter a PIN.
Token-based authentication is a strong form of authentication. The disadvantage of token-based authentication is that you must install authentication server software and deploy the authentication software on every user's computer or mobile device. There's also the risk that the user can lose the external device. This can be financially costly because you'll need to replace lost external devices. However, the device is useless to a third party without the original user's authentication information.
Several companies issue token-based authentication systems. One company is RSA. Their product, SecurID, comes in many different forms, including a key fob and a credit card. A one-time authentication code is issued through the token. Each authentication code is valid for 60 seconds. Most tokens also have an expiration indicator on the device, for example, a series of dots that disappear as the length of time that the code has left decreases. This helps prevent a user from entering the correct code only to have it expire before the authentication process is complete. After authentication has finished, the user doesn't have to authenticate with a new code unless they're signed out, either by choice or because the device times out because of inactivity. For more information about how to configure a token-based authentication system, see the documentation for the particular system.