Certificate-Based Auth for ActiveSync not working
I have an Exchange 2003 environment and am in the process of migrating it to Exchange 2007. I have setup two CAS servers in NLB where I have enabled certificate based authentication and configured AD to auto-enroll. I have also setup a test HT and MB server to test the functionality. I have one test mailbox on the 2007 MB server. I am publishing ActiveSync using an array of two ISA 2006 servers. The two CAS servers are configured as a farm. The internal name points to the NLB-FQDN. The web listener has SSL Certificate based authentication configured and rule is setup for Kerberos Constrained Delegation (KCD) and authentication is enforced on the rule. For the KCD, I am using http/NLB-FQDN as SPN. and I have added this SPN to both CAS servers. I am not sure if this is the right thing to do becasue I am creating a duplicate SPN but I don't know of any other way to do it. I have also configured the computer account of both ISA servers for KCD for the above SPN.When I connect my mobile 6 device to my computer, ActiveSync works and actually installs a certificate and the sync is successful. However, the problem is when I disconnect the device from my computer and use the wireless network. The device is supposed to connect through the ISA server. This is where I am not having much luck. The ISA server sees the client traffic and it even authenticates the user at the ISA server but it denies the conection with the following message:Denied ConnectionISASERVER01 5/13/2009 6:10:24 PM Log type: Web Proxy (Reverse) Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL). Rule: Exchange 2007 ActiveSync Source: External (a.b.c.d) Destination: (a1.b1.c1.d1:443) Request: POST http://mail.domain.com/Microsoft-Server-ActiveSync?User=johndow&DeviceId=0365984D3ED53DC34E2C64D6E04FA5F2&DeviceType=PocketPC&Cmd=FolderSync Filter information: Req ID: 0f60fba1; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: https User: Domain\johndoeThe mobile device gives me an error that says thay that Exchange server requires a user certificate and to obtain one form the domain, The certificate is there.I have checked the firewall rules over an over. In fact, ActiveSync works fine with Basic Auth throught the ISA server so I know that the firewall rules are not the problem. I think the problem is with KCD but I am not sure what it is. I have gone through many documents but there are no explanations for this.Any help would be appreciated.Thanks,AK
May 14th, 2009 8:21am
Hi,
If you use Basic authentication with SSL, does it work? Please also refer to the following article to see if youve configured ISA properly.
Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html
Thanks,
Elvis
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2009 5:52am