The administrator creates the device certificate enrollment configuration XML from the sample XML that is provided with the tool download. Then, the sample XML is uploaded to Active Directory using the Microsoft Visual Basic® Scripting Edition (VBScript) file that was provided with the tool download.
The device certificate enrollment XML that is customized for the users' IT environment is available in the correct Active Directory location. See "Uploading the XML to Active Directory," for more information.
Deploy Desktop ActiveSync 4.1 or later to user desktops.
Desktop ActiveSync 4.1 or later is installed on the user's corporate computer.
The user can cradle the device, thereby connecting it to the corporate network and enabling it to perform the certificate enrollment steps noted below.
The device is connected through Desktop ActiveSync 4.1 or later to the users' corporate desktop, to enroll.
The Desktop ActiveSync application downloads the configuration XML from Active Directory.
Desktop ActiveSync "pushes" the XML to the Windows-based mobile device over the USB Remote API (RAPI) connection.
During the setup of the device and desktop partnership, the user is prompted to enter his or her corporate username, password, and domain. To add these credentials to the device to enable enrollment, the Save the password check box must be selected.
After the enrollment has been attempted one time, the username, password, and domain information are purged from the memory of the device. These items are used only for one attempted enrollment.
The XML is processed into registry settings that you can use for the certificate enrollment operation.
Attempt at initial synchronization.
The device tries an initial server synchronization.
This step occurs by design because the client tries to use Basic authentication password authentication. However, the server requires certificate authentication so it returns an HTTP 403 error to the device. The error indicates that a certificate is required for authentication.
The device initiates certificate enrollment using the saved Exchange ActiveSync username, password, and domain, combined with the certificate enrollment configuration.
A connection is made to the Windows Certificate Services Web server that is specified in the enrollment configuration.
Enrollment is processed using a Windows 2000 Server or a Windows Server 2003 certification authority (CA) that is running the Web-based enrollment feature.
If authentication fails because the password is incorrect, the user can retry, but he or she must enter the password on the device. If authentication fails because a bad username or domain was entered, the Exchange server settings on the mobile device must be deleted and then re-created.
Attempt at subsequent synchronization.
Receives the certification context from the Certificate Enrollment API. ActiveSync tries to re-authenticate to the Exchange front-end server that uses the returned certificate.
Certificate-based authentication continues to work after the certificate enrollment step has been processed.
The same process is used to enroll for a new certificate if the certificate is deleted or expires.
Appendix B: Install and Configure an ISA Server 2004 Environment
This section discusses steps for deployment of Exchange Server 2003 SP2 mobile messaging in an ISA Server 2004 environment. During this part of the process, you will:
Set the ISA Server 2004 idle session timeout to 1800 seconds (30 minutes)
Increasing the timeout values maximizes performance of the direct push technology and optimizes device battery life.
Test OWA and Exchange ActiveSync.
If you plan to use Certificate Authentication with ISA Server 2004, you must use Server Publishing or tunneling to create your Exchange ActiveSync publishing rule. See the instructions in Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
If you have ISA Server 2000, see "Using ISA Server 2000 with Exchange Server 2003" at http://go.microsoft.com/fwlink/?LinkId=62670.
For more information about configuring an ISA 2000, see the following article in the Microsoft Knowledge Base: "How to publish an Exchange 2000 Server computer or an Exchange Server 2003 computer by using Internet Security and Acceleration (ISA) Server 2000." http://go.microsoft.com/fwlink/?LinkId=109205.