Which ActiveSync authentication method is best for your mobile device?

ActiveSync certificate-based authentication requires a copy of the trusted root certificate for the certificate authority (CA) that issued the SSL certificate. The client access server (CAS) will then use this SSL certificate. Basic authentication also has the same requirements, as long as SSL encryption will be used.

Windows Mobile has a number of built-in trusted root certificates from various vendors. If CAS is using an SSL certificate issued by a well-known CA, it's likely that the required trusted root certificate already exists.

To check if the required root certificate is in place in Windows Mobile 6.1, click on Start and then choose Settings. This will open the mobile device's Control Panel. Go to the System tab and open the Certificates applet. The root tab lists all trusted root certificates, as shown in Figure 1.

Figure 1. In Windows Mobile 6.1, the Certificate's root tab lists all trusted certificate authorities.

If you want to use ActiveSync basic authentication with SSL encryption, you will only need a root certificate. However, for certificate-based authentication you also need a valid client certificate that has been issued to the device. This certificate should have been created specifically for authentication purposes.

More on ActiveSync: Disable ActiveSync in bulk with Exchange Management Shell commands  Performing a remote wipe on ActiveSync devices in Exchange Server 2007  Analyzing Exchange ActiveSync data from .CSV report files

Because client certificates are used in the authentication process, there are a few installation steps you must follow to ensure device security. For example, if you're using an internal Enterprise Certificate Authority, Windows-based certificate authorities contain a built-in website that clients can use to perform certificate requests.

Prior to the release of Windows Server 2008, Windows Mobile clients could log on to https://<server name>/CertSrv> and issue a certificate request. However, Windows Server 2008 certificate authorities block certificate requests from mobile devices.

Therefore, you must make a certificate request from a desktop or laptop. The issued certificate must then be manually copied to the mobile device's file system. Next, double-click on the certificate file to install it on the mobile device.

Two other requirements of certificate-based authentication include the following:

• The computer issuing the certificate request must be a domain member.
• The mobile device must communicate with the computer via Desktop ActiveSync 4.5 or later if Windows XP is being used, or via the Windows Vista Mobile Device Center.

ActiveSync token-based authentication

Token-based authentication is a two-factor authentication method. ActiveSync supports token-based authentication, but not out of the box. If you want to use token-based authentication on your Windows Mobile device, you must install special authentication software on the client access server. Depending on whether you're using hardware- or software-based authentication, you may have to install authentication software on the mobile device as well.

Token-based authentication combines a username and password with a user's access token. There are several different token-based authentication products on the market, but Exchange Server generally uses token software to generate a six-digit number every 60 seconds.

Each user is also issued a credit card-sized piece of hardware that generates the same six-digit number as the Exchange server. When a user logs in, he must enter his authentication credentials and this six-digit number.

Since Exchange Server ActiveSync won't work unless the user's credentials are stored in the mobile device, some token-based authentication providers offer software-based tokens for Windows Mobile devices. This software prevents an unauthorized mobile device from connecting to ActiveSync, even if the device has a valid set of authentication credentials.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Devices Top 5 Exchange ActiveSync tips Windows Mobile 6.5 touts Internet Explorer, OWA improvements Windows Mobile 6.5 touts ActiveSync and Outlook Mobile improvements What are your options for sending text messages from Outlook 2007? Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 Performing a remote wipe on ActiveSync devices in Exchange Server 2007 Microsoft Exchange Server 2007 How to install Forefront Security for Exchange Server Displaying Exchange 2007 public folders in SharePoint Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Top 5 Exchange ActiveSync tips Two useful tools for documenting an Exchange Server installation Controlling spam in Exchange 2007 at the edge transport server level Restore Exchange storage groups with DPM 2007 How a hosted Exchange service can help you Email issues after configuring hosted Exchange server on laptop Microsoft Exchange Server 2007 Research Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary