Using Certificates for Mobile Device Authentication


Topic Last Modified: 2008-02-14

Last month, we discussed using Secure Sockets Layer (SSL) to increase security for communications between your Microsoft Exchange ActiveSync clients and the computer that is running Microsoft Exchange. This month, we'll discuss an additional level of security: client authentication.

Authentication is the process by which a client and a server verify their identity for transmitting data. Encrypting communications with SSL wraps the data exchanged between the client and server in a layer of encryption to help secure that data. In Microsoft Exchange Server 2007, authentication is used to determine whether a user or client that wants to communicate with the Exchange server is who or what it says it is. You can use authentication to verify that a device belongs to a particular individual.

You can configure authentication on the Exchange ActiveSync virtual directory. This setting will control whether your client devices will use client certificates for authentication. By default, when you install the Client Access server role for Exchange 2007, the Exchange ActiveSync virtual directory is configured to use Basic authentication with SSL. You can change the authentication method by modifying the properties of the Exchange ActiveSync virtual directory. This article provides an overview of the different types of authentication and instructions for configuring the authentication method for the Exchange ActiveSync virtual directory. It will also provide instructions for configuring client certificates for authentication on your mobile devices.

There are three types of authentication: Basic, certificate-based, and token-based. This section provides a brief overview of these authentication types.

Basic authentication is the simplest method of authentication. With Basic authentication, the server requests that the client submit a user name and password. That user name and password are sent in clear text over the Internet to the server. The server verifies that the supplied user name and password are valid, and then grants access to the client. This is the default method of authentication for Exchange ActiveSync. We recommend that you only use this method of authentication when SSL is enabled. If you plan to disable SSL on the Exchange ActiveSync virtual directory, we recommend that you choose an alternative authentication method.

Certificate-based authentication uses a digital certificate to verify an identity. Certificate-based authentication provides another form of credentials, in addition to the user name and password, to prove the identity of the user who is trying to access the mailbox resources that are stored on the Exchange 2007 server. A digital certificate consists of two components: the private key that is stored on the device, and the public key that is installed on the server.

If you configure Exchange 2007 to require certificate-based authentication for Exchange ActiveSync, only devices that meet the following criteria can synchronize with Exchange 2007:

  • The device has a valid client certificate installed that was created for user authentication.

  • The device has a trusted root certificate for the server to which it is connecting to establish the SSL connection.

When you deploy certificate-based authentication, you prevent users who have only a user name and password from synchronizing with Exchange 2007. As an additional level of security, the client certificate for authentication can be installed only when the device is connected to a domain-joined computer through either Desktop ActiveSync 4.5 or a later version in Microsoft Windows XP or the Windows Mobile Device Center in Windows Vista.

A token-based authentication system is a two-factor authentication system. Two-factor authentication is based on a piece of information the user knows, such as their password, and an external device, usually in the form of a credit card or a key fob, that a user can carry with them. Each device has a unique serial number. In addition to hardware tokens, some vendors offer software-based tokens that can run on mobile devices.

Tokens work by displaying a unique number, typically six digits long, that changes every 60 seconds. When a token is issued to a user, it is synchronized with the server software. To authenticate, the user enters their user name, password, and the number that is currently displayed on the token. Some token-based authentication systems also require the user to enter a PIN.

Token-based authentication is a strong form of authentication. The drawback of token-based authentication is that you must install authentication software on the server and deploy the authentication software on every user's computer or mobile device. There is also the risk that users might lose the external device. This can be financially costly because you would have to replace the lost external devices. However, the external device is useless to a third party without the original user's authentication information. Several companies offer token-based authentication systems. For more information about these systems, including how to configure them, see the documentation for the particular system.

To configure the Exchange ActiveSync virtual directory for certificate based authentication, use one of the following procedures.

To use the Exchange Management Console to configure certificate-based authentication for Exchange ActiveSync
  1. Expand Server Configuration, and then click Client Access.

  2. In the result pane, click the Exchange ActiveSync tab.

  3. Select the Microsoft-Server-ActiveSync virtual directory.

  4. In the action pane, under Microsoft-Server-ActiveSync, click Properties.

  5. Click the Authentication tab.

  6. Clear the check box next to Basic authentication (password is sent in clear text).

  7. Click Require client certificates. Or, to allow but not require client certificate authentication, you can click Accept client certificates.

  8. Click Apply to save your changes, or click OK to save your changes and close the Microsoft-Server-ActiveSync properties dialog box.

To use the Exchange Management Shell to configure certificate-based authentication for Exchange ActiveSync
  • Run the following command:

    Set-ActiveSyncVirtualDirectory -Identity :"ExchSrvr\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled:$false -ClientCertAuth:"Required"

For more information about syntax and parameters, see Set-ActiveSyncVirtualDirectory.

To perform the following procedure on a Windows Mobile powered device, make sure that you have an ActiveSync connection between the device and a desktop or portable computer. In addition, the desktop or portable computer must be joined to the domain. For Windows XP computers, you will use Desktop ActiveSync to form this connection. For Windows Vista computers, you will use the Windows Mobile Device Center.

To use the desktop certificate enrollment tool, your device must be cradled to a computer that is logged on to the corporate network. The following procedure uses Desktop ActiveSync or the Windows Mobile Device Center to enroll for a certificate from a corporate server.

To use ActiveSync to enroll for a certificate from a corporate server
  1. With your device connected to your computer, within ActiveSync or the Windows Mobile Device Center, click Tools, Advanced Tools, and Get Device Certificates.

  2. From the View drop-down box, select Certificate types from Active Directory, and then click Enroll.

  3. Under Get Device Certificate, click Yes to continue.

  4. Your Windows Mobile 6.0 device will prompt you to confirm the installation process. Click Continue on the device.

  5. A second prompt may appear on the device. If this occurs, select Install.

  6. After you have seen the success dialog box at the end of the enrollment process, click OK on your computer, and then click Close.

There are various security features that you can implement for Exchange ActiveSync. Certificate-based authentication is one of those features. We recommend that you either configure Exchange ActiveSync for Basic authentication with SSL or certificate-based authentication. For more information about authentication and encryption options, see the following topics: