Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication
Certificate-based authentication is an advanced security feature that can be used to meet more stringent security requirements. If SSL basic authentication does not meet your security requirements and you have an existing Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the certificate-based authentication feature in Exchange ActiveSync.
This appendix outlines the requirements and process for deploying Exchange ActiveSync certificate-based authentication. Complete instructions and the deployment tool can be downloaded from the Tools for Exchange Server 2003 Web site at http://go.microsoft.com/fwlink/?linkid=55032.
Configuring the Firewall for Certificate-based Authentication
ISA Server 2006 has a new feature that can end the SSL connection from the mobile device, authenticate a client connection, and then use Kerberos constrained delegation to the Exchange Server 2003 SP2 front-end server. This is an improvement because traffic can be inspected at ISA and then passed to the Exchange 2003 front-end server for processing. Earlier versions of ISA Server required that SSL tunneling be set up. This made it necessary for the Exchange back-end server to end the SSL connection, authenticate the user, and process the request.
Software Requirements for Certificate-Based Authentication
The following is required for enabling Client Certificate-base Authentication for Windows Mobile 5.0 with MSFP and Exchange Server 2003 SP2:
Windows Server 2003 (running in Windows Server 2003 Domain Functional Level)
Exchange Server 2003 SP2 (Front End and Mailbox Servers)
Windows XP SP2
Microsoft Desktop ActiveSync® version 4.1 or later. Download from The Add-ons for ActiveSync at http://go.microsoft.com/fwlink/?linkid=75423.
Windows Mobile 5.0 with Messaging and Security Feature Pack
Downloading the Certificate Enrollment Tool
The Exchange ActiveSync Certificate-based Authentication tool can be downloaded from the Tools for Exchange Server 2003 Web site at http://go.microsoft.com/fwlink/?linkid=55032, and consists of a folder that contains the following items:
EASAuthUploadXMLtoAD.vbs The VBScript file that uploads the XML configuration file to Active Directory.
EASCertAuthSampleXML.xml The sample XML configuration file.
Software license terms.rtf Microsoft Software License Terms.
Cert_based_Auth.doc.doc The user documentation (this file) for the tool.
RapiConfig.exe A desktop configuration tool that enables the execution of provisioning XML on a Windows Mobile-based device or an emulator that is connected by using Exchange ActiveSync.
QryCertReg.xml The XML file that is used as a parameter in RapiConfig.exe that indicates whether the mobile device is getting the configuration from Active Directory.
System Requirements for the Certificate Enrollment Tool
The following operating system and applications are required for the correct operation of the tool.
Windows 2000 Server SP4 or later versions or Window Server 2003 SP1 (recommended)
There are problems when you try to run the Exchange ActiveSync Certificate-based Authentication tool in a non-English version of Windows Server 2003. For a description and workaround, see the Microsoft Knowledge Base article 927471, "The Exchange ActiveSync Certificate-based Authentication (EASAuthUploadXMLtoAD.vbs) tool returns an error when you use it in a non-English version of Windows Server 2003," at http://go.microsoft.com/fwlink/?linkid=3052&kbid=927471.
Microsoft Exchange Server 2003 Service Pack 2
Messaging and Security Feature Pack for Windows Mobile 5.0
Internet Information Services (IIS)
Microsoft Desktop ActiveSync 4.1 or a later version. Download from Windows Mobile Downloads and Programs at http://go.microsoft.com/fwlink/?linkid=37727
Windows certification authority (CA) running the Web-based enrollment feature
Steps to Enable Certificate-Based Authentication
To enable Certificate-based Authentication between a Windows Mobile 5.0 MSFP device and Exchange Server 2003 SP2, there are three core areas that must be configured.
1. The Exchange Server 2003 SP2 front-end server to accept Certificate-based authentication for the Exchange ActiveSync virtual directory.
2. Kerberos constrained delegation between Exchange Server 2003 SP2 front-end and back-end servers.
3. Certificate enrollment XML in Active Directory.
If you have a firewall or reverse proxy, such as an ISA server, there are additional configuration steps required.
Configuring Exchange Server 2003 Front-End Server
Exchange ActiveSync in Exchange Server 2003 SP2 relies on the built-in authentication mechanism of IIS 6.0 for both Basic and Client Certificate-based authentication.
Follow these steps to enable Client Certificate-based authentication on the Exchange Server 2003 SP2 front-end server.
Configure secure communications with SSL
We recommend that you use an SSL certificate issued from a well-known Certification Authority to avoid having to install the corresponding Trusted Root Certificate on the mobile device.
Configure the Exchange ActiveSync virtual directory to accept Client Certificate-based authentication
Configure Kerberos Constrained Delegation
You must configure Kerberos constrained delegation between the Exchange Server 2003 SP2 front-end and back-end servers.
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The Kerberos authentication service can use an SPN to authenticate a service. For Kerberos constrained delegation to work between the ISA 2006 server and the Exchange Server front-end and back-end environment, and between the Exchange Server front-end and back-end servers, additional SPN entries are required.
Configure Servers to be Trusted for Delegation
For Kerberos constrained delegation to work, the Computer object entries in Active Directory must be configured to be Trusted for Delegation. The Exchange front-end server must be able to delegate Kerberos tickets to the Exchange back-end server.
If your topology will include Internet Security and Acceleration (ISA) Server 2006, you will also need to configure the ISA 2006 server to be able to delegate Kerberos tickets to the Exchange front-end server.