• Configuring the Firewall for Certificate-based Authentication
  • Software Requirements for Certificate-Based Authentication
  • Downloading the Certificate Enrollment Tool
  • System Requirements for the Certificate Enrollment Tool
  • Steps to Enable Certificate-Based Authentication
  • Configuring Exchange Server 2003 Front-End Server
  • Configure Kerberos Constrained Delegation
  • Configure Servers to be Trusted for Delegation
  • Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 sp2




    Download 0.55 Mb.
    bet21/26
    Sana21.03.2017
    Hajmi0.55 Mb.
    1   ...   18   19   20   21   22   23   24   25   26

    Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication


    Certificate-based authentication is an advanced security feature that can be used to meet more stringent security requirements. If SSL basic authentication does not meet your security requirements and you have an existing Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the certificate-based authentication feature in Exchange ActiveSync.

    This appendix outlines the requirements and process for deploying Exchange ActiveSync certificate-based authentication. Complete instructions and the deployment tool can be downloaded from the Tools for Exchange Server 2003 Web site at http://go.microsoft.com/fwlink/?linkid=55032.


    Configuring the Firewall for Certificate-based Authentication


    ISA Server 2006 has a new feature that can end the SSL connection from the mobile device, authenticate a client connection, and then use Kerberos constrained delegation to the Exchange Server 2003 SP2 front-end server. This is an improvement because traffic can be inspected at ISA and then passed to the Exchange 2003 front-end server for processing. Earlier versions of ISA Server required that SSL tunneling be set up. This made it necessary for the Exchange back-end server to end the SSL connection, authenticate the user, and process the request.

    Software Requirements for Certificate-Based Authentication


    The following is required for enabling Client Certificate-base Authentication for Windows Mobile 5.0 with MSFP and Exchange Server 2003 SP2:

       Windows Server 2003 (running in Windows Server 2003 Domain Functional Level)

       Windows Server 2003 Certification Authority running Web-based enrollment

       Exchange Server 2003 SP2 (Front End and Mailbox Servers)

       Windows XP SP2

       Microsoft Desktop ActiveSync® version 4.1 or later. Download from The Add-ons for ActiveSync at http://go.microsoft.com/fwlink/?linkid=75423.

       Windows Mobile 5.0 with Messaging and Security Feature Pack


    Downloading the Certificate Enrollment Tool


    The Exchange ActiveSync Certificate-based Authentication tool can be downloaded from the Tools for Exchange Server 2003 Web site at http://go.microsoft.com/fwlink/?linkid=55032, and consists of a folder that contains the following items:

      EASAuthUploadXMLtoAD.vbs   The VBScript file that uploads the XML configuration file to Active Directory.

      EASCertAuthSampleXML.xml   The sample XML configuration file.

       Software license terms.rtf   Microsoft Software License Terms.

       Cert_based_Auth.doc.doc   The user documentation (this file) for the tool.

      RapiConfig.exe   A desktop configuration tool that enables the execution of provisioning XML on a Windows Mobile-based device or an emulator that is connected by using Exchange ActiveSync.

      QryCertReg.xml   The XML file that is used as a parameter in RapiConfig.exe that indicates whether the mobile device is getting the configuration from Active Directory.


    System Requirements for the Certificate Enrollment Tool


    The following operating system and applications are required for the correct operation of the tool.

       Windows 2000 Server SP4 or later versions or Window Server 2003 SP1 (recommended)

    Important:

    There are problems when you try to run the Exchange ActiveSync Certificate-based Authentication tool in a non-English version of Windows Server 2003. For a description and workaround, see the Microsoft Knowledge Base article 927471, "The Exchange ActiveSync Certificate-based Authentication (EASAuthUploadXMLtoAD.vbs) tool returns an error when you use it in a non-English version of Windows Server 2003," at http://go.microsoft.com/fwlink/?linkid=3052&kbid=927471.



       Microsoft Exchange Server 2003 Service Pack 2

       Messaging and Security Feature Pack for Windows Mobile 5.0

      Active Directory

       Internet Information Services (IIS)

       Microsoft Desktop ActiveSync 4.1 or a later version. Download from Windows Mobile Downloads and Programs at http://go.microsoft.com/fwlink/?linkid=37727

       Windows certification authority (CA) running the Web-based enrollment feature


    Steps to Enable Certificate-Based Authentication


    To enable Certificate-based Authentication between a Windows Mobile 5.0 MSFP device and Exchange Server 2003 SP2, there are three core areas that must be configured.

      1. The Exchange Server 2003 SP2 front-end server to accept Certificate-based authentication for the Exchange ActiveSync virtual directory.

      2. Kerberos constrained delegation between Exchange Server 2003 SP2 front-end and back-end servers.

      3. Certificate enrollment XML in Active Directory.


    If you have a firewall or reverse proxy, such as an ISA server, there are additional configuration steps required.

    Configuring Exchange Server 2003 Front-End Server


    Exchange ActiveSync in Exchange Server 2003 SP2 relies on the built-in authentication mechanism of IIS 6.0 for both Basic and Client Certificate-based authentication.

    Follow these steps to enable Client Certificate-based authentication on the Exchange Server 2003 SP2 front-end server.



       Configure secure communications with SSL

    Note:

    We recommend that you use an SSL certificate issued from a well-known Certification Authority to avoid having to install the corresponding Trusted Root Certificate on the mobile device.



       Configure the Exchange ActiveSync virtual directory to accept Client Certificate-based authentication

    Configure Kerberos Constrained Delegation


    You must configure Kerberos constrained delegation between the Exchange Server 2003 SP2 front-end and back-end servers.

    Adding Service Principal Names


    A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The Kerberos authentication service can use an SPN to authenticate a service. For Kerberos constrained delegation to work between the ISA 2006 server and the Exchange Server front-end and back-end environment, and between the Exchange Server front-end and back-end servers, additional SPN entries are required.

    Configure Servers to be Trusted for Delegation


    For Kerberos constrained delegation to work, the Computer object entries in Active Directory must be configured to be Trusted for Delegation. The Exchange front-end server must be able to delegate Kerberos tickets to the Exchange back-end server.

    Note:

    If your topology will include Internet Security and Acceleration (ISA) Server 2006, you will also need to configure the ISA 2006 server to be able to delegate Kerberos tickets to the Exchange front-end server.


    1   ...   18   19   20   21   22   23   24   25   26


    Download 0.55 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa


    Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 sp2

    Download 0.55 Mb.