Home

Demystifying Certificate Based Authentication with ActiveSync in Exchange 2013 and 2016 (On-Premises

%3CLINGO-SUB%20id%3D%22lingo-sub-68049%22%20slang%3D%22en-US%22%3EDemystifying%20Certificate%20Based%20Authentication%20with%20ActiveSync%20in%20Exchange%202013%20and%202016%20(On-Premises%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-68049%22%20slang%3D%22en-US%22%3E%3CP%3ESome%20of%20the%20more%20complicated%20support%20calls%20we%20see%20are%20related%20to%20Certificate%20Based%20Authentication%20(CBA)%20with%20ActiveSync.%20This%20post%20is%20intended%20to%20provide%20some%20clarifications%20of%20this%20topic%20and%20give%20you%20troubleshooting%20tips.%3CBR%20%2F%3EWhat%20is%20Certificate%20Based%20Authentication%20(CBA)%3F%20Instead%20of%20using%20Basic%20or%20WIA%20(Windows%20Integrated%20Authentication)%2C%20the%20device%20will%20have%20a%20client%20(user)%20certificate%20installed%2C%20which%20will%20be%20used%20for%20authentication.%20The%20user%20will%20no%20longer%20have%20to%20save%20a%20password%20to%20authenticate%20with%20Exchange.%20This%20is%20not%20related%20to%20using%20SSL%20to%20connect%20to%20the%20server%20as%20we%20assume%20that%20you%20already%20have%20SSL%20setup.%20Also%2C%20just%20to%20be%20clear%20(as%20some%20people%20have%20those%20things%20confused)%20CBA%20is%20%3CI%3Enot%3C%2FI%3E%20two-factor%20authentication%20(2FA).%3C%2FP%3E%0A%3CP%3EHow%20does%20the%20client%20certificate%20get%20installed%20on%20the%20device%3F%20There%E2%80%99s%20several%20MDM%20(Mobile%20Device%20Management)%20solutions%20to%20install%20the%20client%20certificate%20on%20the%20device.%3C%2FP%3E%0A%3CP%3EThe%20most%20important%20part%20of%20working%20with%20CBA%20is%20to%20know%20where%20the%20client%20certificate%20will%20be%20accepted%20(or%20%E2%80%98terminated%E2%80%99).%20How%20you%20implement%20CBA%20will%20depend%20on%20the%20response%20to%20following%20questions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EWill%20Exchange%20server%20be%20accepting%20the%20client%20certificate%3F%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EWill%20an%20MDM%20or%20other%20device%20using%20Kerberos%20Constrained%20Delegation%20(KCD)%20be%20accepting%20the%20client%20certificate%3F%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELearn%20more%20on%20the%20Exchange%20%3CA%20title%3D%22Exchange%20Blog%22%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fexchange%2F2017%2F05%2F05%2Fdemystifying-certificate-based-authentication-with-activesync-in-exchange-2013-and-2016-on-premises%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-68049%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Michael Holste
Microsoft

Some of the more complicated support calls we see are related to Certificate Based Authentication (CBA) with ActiveSync. This post is intended to provide some clarifications of this topic and give you troubleshooting tips.
What is Certificate Based Authentication (CBA)? Instead of using Basic or WIA (Windows Integrated Authentication), the device will have a client (user) certificate installed, which will be used for authentication. The user will no longer have to save a password to authenticate with Exchange. This is not related to using SSL to connect to the server as we assume that you already have SSL setup. Also, just to be clear (as some people have those things confused) CBA is not two-factor authentication (2FA).

How does the client certificate get installed on the device? There’s several MDM (Mobile Device Management) solutions to install the client certificate on the device.

The most important part of working with CBA is to know where the client certificate will be accepted (or ‘terminated’). How you implement CBA will depend on the response to following questions:

 

  • Will Exchange server be accepting the client certificate?
  • Will an MDM or other device using Kerberos Constrained Delegation (KCD) be accepting the client certificate?

 

Learn more on the Exchange blog