Certificate Based Authentication (iOS) - initially connects fine then "The connection to the server failed"

I've setup certificate based authentication for activesync on Exchange 2013.  We're using primarily iOS devices and that's all I'm testing with for now. 

I apply the profile using Apple's iPhone configuration Utility, install the profile on the phone and my mailbox syncs as expected.  I can send and receive messages for a short time, somewhere between 2 and 5 minutes.  After that I cannot get a connection again and get the message "The connection to the server failed."  I am able to access the server through safari so network connectivity is OK.  The only way to regain a working activesync connection seams to be either rebooting the phone completely or instructing the iPhone to "Reset Network Settings" which also ends up rebooting the phone.

I have verifiied that "Include inheritable permissions from this object's parent" is selected in the users AD security settings which was the only item I have found that may relate to this error in my searching.

I did have certificate based auth working in my Exchange 2007/2010 environment and also in my Exchange 2013 test environment.

The Exchange remote connectivity analyzer test for activesync fails but only because of the certificate auth which it doesn't seem to be setup to handle.  Everything else passes.

May 31st, 2013 12:10pm
Did you try to create activesync profile without using iPhone Configuration utility? Please try to do that,and also try another user account. Post results here.
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2013 7:50pm
Thanks for the reply Damir.  I'm not sure I know how to configure an iDevice for certificate based auth without using the iPhone configuration utility.  Information on certificate authentication is pretty sparse as it is and have never seen any other method of getting a working configuration without using the utility but I'll spend some time trying things out.  I have tried multiple accounts and they all do the same thing. 
June 3rd, 2013 8:05pm
Also, look at the Exchange server logs, and see if you have any errors or warnings there, related to users trying to connect from their iPhones. 
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2013 9:22am

Sorry for the delay.  I have tried other user accounts and other physical devices with the same result.  I still am not sure how to setup an iOS device for certficate authentication without using the Configuration utility so I have not yet tried that.  There are no errors or warnings in the event viewer when the client connection fails.

I just opened a MS support ticket and will report back if we get a solution.

June 7th, 2013 2:56pm

Success!  The IIS logs for the activesync site showed 413 errors after the initial connection.  Investigating that error code I found it was related to uploadreadaheadsize.  Most instructions for increasing that were for IIS6 but I found these steps to increase the value in IIS 8.  My ExchangeActiveSync directory was set to 0 so I updated it to 200000.  I'm not sure what an appropriate value might be but so far devices are connecting and staying connected.

How to set the uploadReadAheadSize in IIS 7.5
  1. Launch "Internet Information Services (IIS) Manager"
  2. Expand the Server field
  3. Expand Sites
  4. Select the site you want to make the modification for.
  5. In the Features section, double click "Configuration Editor"
  6. Under "Section" select: system.webServer>serverRuntime
  7. Modify the "uploadReadAheadSize" section
  8. Click Apply
  • Marked as answer by cjhaugen Friday, June 07, 2013 3:56 PM
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2013 3:55pm

FYI: This issue has been fixed in E2013 CU5 and certificate based authentication is now supported for EAS protocol users.

Cumulative Update 5 for Exchange Server 2013 (KB2936880)
http://www.microsoft.com/en-us/download/details.aspx?id=43103

Also, note that the appropriate value of uploadReadAheadSize attribute in web.config is 49152 (48 KB) which is set by default.

June 13th, 2014 4:39pm

Amir,

Can you point me at documentation on how to configure certificate based authentication seems lacking.

Joe

Free Windows Admin Tool Kit Click here and download it now
July 27th, 2015 4:21pm

It's been a long time since I've configured it but the source I used was primarily here

http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/configuring-certificate-based-authentication-exchange-2010-activesync-part2.html

July 27th, 2015 4:38pm

Thanks for the post.

But its talking about 2010 as well, not Exchange 2013, with similar info to the Ehlo blog.

We have the certs on the devices already, and renewals/ CRL management etc is managed by several security black boxes to control untrusted mobile devices.

The migration from 2003 to 2010 was simple, and we followed the EHLO post

http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync.aspx

But its mentioned there that its supported in Ex2013 CU5 (and I assume higher, I'm on Ex2013 CU8)

But no "supported documentation" on the configuration for Ex2013.

Joe


Free Windows Admin Tool Kit Click here and download it now
July 27th, 2015 4:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics