How to configure certificate authentication on mobile device with IIS7?
- Hi,
we have CAS server in windows 2008 and mailbox server on windows 2003. Previous we run cas server on windows 2003 and all works fine. now I try to setup IIS7 for certificate authentication, but without success. we setup spn's, trust delegations, on IIS7 enable AD client certificate authentication, request client certificate for /Microsoft-Server-ActiveSync and enable windows authentication. but this not working. can anyone point to article how to configure IIS7 certificate authentication?
thanks.
Answers
Please refer the resources below to configure the CBA for exchange ActiveSync:
How to Configure Certificate-Based Authentication for Exchange ActiveSync
Configuring ActiveSync authentication in Exchange Server 2007
Have you restarted the IIS Services?
Per my knowledge, after configured CBA, users will be authenticated by using client certificate without other authentication methods like Basic, Digest, or Integrated windows authentication. So, please clear the Integrated windows authentication checkbox
However, it do require “Client Certificate Mapping Authentication” on the CAS server, please enable it on the IIS (Reference)
appcmd set config "Default Web Site/Microsoft-Server-ActiveSync" -section:clientCertificateMappingAuthentication /enabled:true
IISreset /noforce
You can also refer this article on the exchange team blog to set the “Client Certificate Mapping Authentication”
- Marked As Answer byGhosC Wednesday, November 11, 2009 1:31 PM
All Replies
Please refer the resources below to configure the CBA for exchange ActiveSync:
How to Configure Certificate-Based Authentication for Exchange ActiveSync
Configuring ActiveSync authentication in Exchange Server 2007
Have you restarted the IIS Services?
Per my knowledge, after configured CBA, users will be authenticated by using client certificate without other authentication methods like Basic, Digest, or Integrated windows authentication. So, please clear the Integrated windows authentication checkbox
However, it do require “Client Certificate Mapping Authentication” on the CAS server, please enable it on the IIS (Reference)
appcmd set config "Default Web Site/Microsoft-Server-ActiveSync" -section:clientCertificateMappingAuthentication /enabled:true
IISreset /noforce
You can also refer this article on the exchange team blog to set the “Client Certificate Mapping Authentication”
- Marked As Answer byGhosC Wednesday, November 11, 2009 1:31 PM
Any update?
- Thanks for response
I turn off windows authentication. all other settigs are already setup - nothing changes.
maybe there is proble with spn's? now i setup as is on windows 2003 server:
w3svc/servername.domain
w3svc/servername
http/servername.domain
http/servername
host/servername.domain
host/servername
delegate to:
host:MailboxServer
host:MailboxServer.domain
http:mailboxserver
http:mailboxserver.domain Please update the results after the SPN modification. So, client mapping authentication has already enabled
James Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com- How's the issue?
James Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com - There was 2 things: . missing CA certificate in NTAuth store and something broken in CAS installation.I reinstall CAS role, configure Server active sync as You pointed me and all works now!Thanks.
- Cool! Glad to help
James Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com
