ActiveSync authentication is a process in which a mobile device and the Exchange 2007 Client Access Server confirm
each other's identities. Confirmation takes place in different ways, depending on how ActiveSync has been configured. In this tip from Microsoft Exchange Server expert Brien Posey, you'll learn how to configure an ActiveSync authentication method and get information on two types of ActiveSync authentication available in Exchange 2007 SP1 -- basic and certificate-based authentication.
When you install the Client Access Server (CAS) role, Exchange Server creates different IIS virtual directories. Authentication is configured separately for each directory. To configure the ActiveSync authentication method, open the IIS Manager and navigate through the console tree to: <Your server> (Local Computer) -> Web Sites -> Default Web Site -> Microsoft Server ActiveSync (Figure 1).
Figure 1. Exchange creates different IIS virtual directories.
Right-click on the Microsoft Server ActiveSync virtual directory and choose Properties from the menu. This takes you to the virtual directory's properties sheet. Select the Directory Security tab and click on Edit in the Authentication and Access Control section. You will see the Authentication Methods dialog box (Figure 2).
Figure 2. Control ActiveSync authentication methods in the Authentication Methods dialog box.
Basic ActiveSync authentication
By default, Exchange is configured to use basic authentication for ActiveSync. This is the simplest authentication method, but it is suitable for most ActiveSync deployments.
Basic authentication is based on usernames and passwords. The Client Access Server prompts a user to enter a username and password. When the mobile device is initially configured for use with ActiveSync, a user's credentials are stored. ActiveSync won't work if you don't save the credentials on the mobile device. The mobile device then transmits these credentials to the CAS, which verifies the credentials and grants the user access to the virtual directory.
Basic authentication uses clear text when transmitting usernames and passwords. If basic authentication is used by itself, sending passwords in clear text would be a huge security risk.
Note: Microsoft recommends using SSL encryption in conjunction with basic authentication. While SSL encryption doesn't prevent passwords from being sent as clear text, it does encrypt the password while in transit.
ActiveSync certificate-based authentication
ActiveSync certificate-based authentication is similar to basic authentication, but instead uses a digital certificate to confirm a user's identity. Requiring certificate-based authentication prevents users who only have a username and password from using ActiveSync.
There are two types of certificates that must be issued to the mobile device for certificate-based authentication to work.
- The device must have a trusted root certificate, which allows the mobile device to trust the CAS's certificate.
The CAS uses a certificate, which must come from a certificate authority (CA), to enable SSL encryption. Some organizations use commercial CAs such as VeriSign or Thawte. Organizations can configure their own Windows server to act as an enterprise CA. The organization would then use that server to issue an X.509 certificate to the CAS.
More on Exchange ActiveSync: Using ActiveSync without a front-end Exchange server
Forms-based authentication errors with OMA and ActiveSync
How to solve common ActiveSync error messages
- An X.509 certificate can be used to facilitate SSL encryption.
Note: An X.509 certificate is a type of certificate that can be used to facilitate SSL encryption.
Regardless of where the X.509 certificate comes from, the client will not trust your CAS unless it trusts the certificate authority that issued the X.509 certificate. By installing a trusted root certificate from the CA onto the mobile device, the device will trust both the CA and the CAS.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.