How to Securely Deploy iPhones with Exchange ActiveSync - Phase 2 - Configuring ActiveSync and Active Directory

Thursday, February 25, 2010
This is the third post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here. In this phase, we will configure ActiveSync on the Exchange CAS and Mailbox servers and make the necessary changes in Active Directory.

Securing Exchange ActiveSync
Exchange ActiveSync is enabled by default for all Exchange users in a normal installation.  It can be disabled for select users using Active Directory Users and Computers (ADUC) for Exchange 2003 users or the Exchange 2007/2010 management tools for those mailbox users.

Since our solution requires that ActiveSync be available for only specific users, we could use a script that disables Activesync for all users who are not a member of an ActiveSync Users security group.  While this would work, it would be clumsy and new users could access ActiveSync until the script runs again.  It also wouldn't solve the requirement that only authorized devices can access ActiveSync.

In order to fulfill the requirements that only authorized users can access ActiveSync using authorized devices, we will configure ActiveSync to require user certificates.  The iPhones will receive a unique iPhone Configuration Profile that includes the user certificate we generated in Phase 1.  That profile can be loaded on one, and only one, iPhone.  More on that in a later phase.

Configuring Exchange ActiveSync
As mentioned earlier, ActiveSync is enabled by default in a normal Exchange installation.  It is configured by default to use only Basic authentication.  We need to configure the CAS servers to require user certificates.  This is only configured on the CAS servers, not the Mailbox servers.

To do this using the Exchange Management Console (EMC), expand Microsoft Exchange > Server Configuration > Client Access.  Select the Client Access Server to configure and click the Exchange ActiveSync tab in the work pane.  Double-click Microsoft-Server-ActiveSync to view its properties.  Click the Authentication tab and select Require client certificates, as shown below.

Repeat these steps for each CAS server.

To do the same thing using the Exchange Management Shell (EMS), use the following cmdlet to require client certificates for each CAS server:
Set-ActiveSyncVirtualDirectory -identity "CASservername\Microsoft-Server-ActiveSync (Default Web Site)" -ClientCertAuth Required
Finally, we need to make an adjustment to the uploadReadAheadSize value in the IIS metabase.  This is required when you use certificate-based authentication.  Run the following commands from a CMD prompt on the CAS server, replacing the value in quotes with the maximum message size (in bytes) allowed by your organization.

C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost

C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost
The commands above set uploadReadAheadSize to 10MB (the default is 48KB).  1024 * 1024 * 10 = 10MB.  You then need to restart the IISAdmin service to affect the change.

That's all there is to it. You may also want to configure Remote File Servers at this time, but I won't be covering that in this series.

A Note About Exchange 2003 Mailbox Servers
I mentioned in the introduction that this scenario has some Exchange 2003 mailbox servers, just to spice things up.  If you use Exchange 2007 or 2010 CAS servers to front-end ActiveSync for Exchange 2003 mailboxes, you need to configure ActiveSync on the Exchange 2003 mailbox servers to allow Integrated Windows Authentication.  This is because the Exchange 2007/2010 CAS servers use Kerberos pass-through authentication to the E2K3 mailbox servers.

The trouble is, you can't configure this using Exchange ESM and if you try to modify the Microsoft-Server-ActiveSync virtual directory in IIS Manager, the Exchange DS2MB process will overwrite your changes in a few minutes.  This is detailed on the Exchange Team blog here.

To overcome this, download and install Microsoft KB 937031.  The hotfix normally does not require a reboot, but will prompt for one if a scheduled reboot has been deferred.  This hotfix will enable the Authentication button on the Access tab of the Microsoft-Server-ActiveSync object.  This object is found in ESM under Servers > servername > Protocols > HTTP > Exchange Virtual Server > Microsoft-Server-ActiveSync.  Simply enable Basic authentication and Integrated Windows Authentication, as shown.

Configuring Active Directory
Now we need to configure Active Directory for the solution by creating the necessary user groups and publishing the self-signed CA Root certificate.
Create Security Groups
Create two universal security groups, ActiveSync Users and ActiveSync Admins.  Populate the groups with the appropriate users.  By using security groups, we can easily manage the solution using roles based security.
Configure Group Policy
Since our root CA is is not trusted by an external trusted CA like VeriSign or Entrust, we need to install the root certificate in the Trusted Root Certification Authorities certificate store on the Exchange CAS servers.  While we can do this manually using the Certificates MMC, I'm going to show you how to publish it to all computers in AD using Group Policy, which is my best practice.
Using appropriate credentials (usually Domain Admin), open the Group Policy Management Console (GPMC).  Edit the Default Domain Policy and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities, as show below.

Right-click Trusted Root Certification Authorities and select Import.  Run through the Certificate Import Wizard to import the RootCA.cer certificate file we exported at the end of Phase 1.  Be sure to place the certificate in the Trusted Root Certification Authorities store.  You should now see the certificate in the Default Domain Policy.
After AD replication completes, logon to a CAS server and run GPUpdate to refresh Group Policy and import the root certificate.  Confirm that the certificate is installed using Internet Explorer.  Click Tools > Internet Options > Content > Certificates.  The root certificate should show under the Trusted Root Certification Authorities tab, as shown.


We have completed securing and configuring Exchange ActiveSync, and configured Active Directory by creating the necessary groups and importing the root certificate into the Default Domain Group Policy.


This concludes Phase 2 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. The next phase will cover how to publish the user certificates to user accounts who are members of the ActiveSync Users security group.

Other articles in this series:

18 comments:

  1. Hey Jeff,


    I hope you can fuinish the series in the next day or two because I've been looking at this exact same setup for a few weeks on and off and am banging my head around certificates part. I've made iPhone work with Exchange 2003 without certificates (username / password authentication) but want to get it done right :-)

    ReplyDelete
  2. Thanks, I'll try. I'm posting another phase this morning after I get another screenshot.

    ReplyDelete
  3. Hi Jeff,

    After importing certificate as described and publishing it through GP, the certificate ends up in my Trusted Root certification authorities store rather than Intermediate store - is this an error / typo in the article? In first step we import into Trusted store, and that's where it should end up on client IE?

    ReplyDelete
  4. Good catch, that was a typo. I've corrected the article above. Thanks!

    ReplyDelete
  5. Jeff do we need to enable one to one client mapping and •Enable IIS Client Certificate Mapping authentication for the server to get this working.

    ReplyDelete
  6. Jeff do we need to enable one to one client mapping and •Enable IIS Client Certificate Mapping authentication for the server to get this working.

    ReplyDelete
  7. No need to do one-to-one client mapping or enable IIS client certificate mapping. The clients can connect simply by virtue of having a client user certificate installed on the iPhone.

    ReplyDelete
  8. Hi Jeff,

    Thanks for the reply.Which certificate should we use use for https binding on the server for Active Sync.Right now I am using mydomain.com SSL certificate.

    ReplyDelete
  9. Thanks a lot for such quick reply.Your blog is best implementation for certificate based authentication on iphone.

    I published the client certificate for the user in Active Directory as mentioned in your blog and then built the profile.When I install this profile on the phone its not able to validate and keeps on giving error.When I checked the iphone console it says that https://mail.mydomain.com/microsoft-server-activesync requires a client certificate.I think somehow the client certificate I am sending is not getting authenticated by server.Any help will be highly appreciated.

    .

    ReplyDelete
  10. It sounds like the client certificate with the private key is not included or bound to the iPhone icu profile.

    ReplyDelete
  11. I have rechecked everything and I am including the client certificate in the profile.
    I published the certificate to AD without using the script by clicking on certificate file and adding it to user account.Is that something that may be causing issues.Sorry for such basic question but I am new to this field.

    ReplyDelete
  12. Hi,

    I create profile ActiveSync with client certificate with ICU and install directly on my iPhone IOS4.

    Certificate client is good because when y use Safari to connect to OWA I am correctly authenticating with my certificate user account.

    But when I use ActiveSync it's like my certificate does't exists. In IIS Log I see connexion without certificate.

    Have you any suggession ?

    Thanks for this acticles.

    ReplyDelete
  13. I found my problem.

    I make profil configuration with MacBook Pro and all is OK.

    When i look in config files, it seems that P12 saved in XML by windows version of config utility is not correct.

    I try to copy P12 form config file Apple version to Windows version generated file and all is OK.

    If that can help.

    ReplyDelete
  14. Hi Jeff,

    in your article about securely deploying iphones, you say that you were able to deploy actvesync with exchange 2003.

    I am using Forefront TMG, Exch 2010 CAS, and Exch 2003 mailbox servers and I just cannot get this to work when using client certificates - any suggestions?

    We have deployed the hotfix KB930731 on the 200 mailbox servers. User can connect using iphones when we use a server certificate.

    But it totally stops working if we use client certificates.

    regards

    Crik Gellinco

    ReplyDelete
  15. Crik, there's a lot of moving pieces in your environment and a lot depends on how you have TMG and interop configured. Are clients authenticated by TMG or the 2010 CAS? Are 2003 users redirected to 2003 front-ends?

    ReplyDelete
  16. Is having port 433 for 'anyone' on the firewall a risk? Is there a way to restrict access via 443 to certain IPs?

    ReplyDelete
    Replies
    1. EVERYTHING has risk, but this is a risk that most companies accept. You can restrict that traffic from certain IPs, but you never know what IP address your clients are coming from.

      Delete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.