tag:blogger.com,1999:blog-798194812750898417.post6506677350214131910..comments2024-03-27T09:53:39.301-07:00Comments on The EXPTA {blog}: How to Securely Deploy iPhones with Exchange ActiveSync - Phase 6 - End-User Deployment of the ActiveSync ProfileJeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.comBlogger55125tag:blogger.com,1999:blog-798194812750898417.post-52667585688295203002012-10-04T03:32:42.567-07:002012-10-04T03:32:42.567-07:00Hi Jeff,
Article is simply wonderful!
We have suc...Hi Jeff,<br /><br />Article is simply wonderful!<br />We have successfully set up ertificate based authentication for Windows Mobile devices (TMG + Exchange 2010). But we can not install the certificate on the iPad device with iCU. We install iCU version 3.6.0.295 and don't see the Authentication Credential Name option in Exchange ActiveSync configuration profile. Instead, there is an option Identity Certificate, but it is not active! Has anyone encountered a similar problem?<br /><br />Alexey (IT administrator, Ukraine)Lapidusehttps://www.blogger.com/profile/16256165810738572445noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-11314933905204260312012-03-17T17:21:03.708-07:002012-03-17T17:21:03.708-07:00OK I am happy to say I got this working with help ...OK I am happy to say I got this working with help from the mobilitydojo links above and also a crucial step from this site:<br /><br />http://certcollection.org/forum/topic/108261-certificate-based-authentication-exchange-2010-windows-2008-r2-iis-75/<br /><br />I did have to log in as each user to request a user certificate. I also duplicated the user certificate template and made the copy have a 5-year expiration (rather than 2 years for a traditional user cert). I have 30 users and it was a pain to do get the certificates but this is a new server/AD domain so I didn't have to hack anyone's passwords.<br /><br />What makes it slick is using Mac OS X Lion Server's Profile Manager app, which pushes out the profile to authorized devices. The best part is I never have to enter the user's password anywhere--the user certificate does all of the authentication. <br /><br />What I will do in the event of a lost device (after wiping it) is just revoke the user cert and re-issue a new one, step the user through exporting it and get it set back into Profile Manager.<br /><br />If an employee leaves or is terminated then I will wipe their device, revoke the certificate and that's it.<br /><br />I am still concerned though about BW's point about problems emailing attachments. Will need to do some research and testing of that scenario. But so far I am extremely pleased with how cool this is.<br /><br />Thanks for the great tutorial Jeff--that gave me the inspiration to attempt this.Dannoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-91719092300126565512012-03-01T12:07:23.499-08:002012-03-01T12:07:23.499-08:00BW and/or Jeff - can you expound on this notion to...BW and/or Jeff - can you expound on this notion to "deploy individual certs for each user" in order to avoid the need to have users enter their AD password on their iPhone every time the password expires?<br /><br />We are a small business and have a fairly liberal password expiry policy (6 months), but even then without fail I get a number of calls every six months from users who complain that their iphone stopped downloading e-mail. With iOS 5.01 (and maybe 5.0 too--not sure) there also seems to be a bug where when the AD password expires and is changed, the iPhone will pop up with the authentication dialog but will not accept the new password. Hitting OK or cancel on the dialog keeps bringing the dialog back up endlessly. The only way to resolve the issue is to power off the iphone by holding the power button, powering back on, then the exchange auth dialog comes back up and will accept the new password.<br /><br />Basically, it's a royal PITA--I can't imagine the hassle involved with larger outfits that have even shorter expiry periods. I was really excited to find this article as deploying user certificates _in lieu of_ passwords sounded like an ideal solution. With a secure deployment stragegy, plus the ability to revoke the certificate if the employee is terminated or the phone is lost/stolen--it would still provide users secure access to their exchange account without requiring them to constantly update their AD password on the device.<br /><br />But after reading some of the comments on the various parts of this article, it now seems evident that the only thing this method accomplishes is restricting who can use activesync in the first place. In other words, the certificate just allows you to get to the point where you can authenticate to EAS via user name and password--it doesn't eliminate the need to enter (and keep current) the user's AD password.<br /><br />I've done some googling and haven't as of yet found any alternative to making non-tech savvy users jump through hoops in order to keep syncing with ActiveSync when their AD password expires or is changed. One other issue we have is users who are out in the field and only have an iPhone--they don't have an office with a Windows PC they can use to change their expired password. So I have had to walk them through logging into OWA just to do it--then go through the rigmarole of changing it on their iPhone.<br /><br />Aside from eliminating the password expiry policy altogether (which seems 100% contrary to every best practice I have seen) is there really no other solution here? Is there a really good argument to be made as to why MS doesn't seem to allow certificate-based authentication for EAS in lieu of user name/password? ActiveSync has been around for the better part of a decade now--its continued reliance on basic authentication is somewhat perplexing to me.<br /><br />Anyone found any ways around this or happy mediums? I'm willing to try just about anything at this point.<br /><br />Thanks! It is a great walkthrough--just disappointed that it doesn't solve the problem I want solved :)Dannoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-42473012781884693022012-01-24T08:00:28.641-08:002012-01-24T08:00:28.641-08:00Juan,
you can deploy individual certs for each us...Juan,<br /><br />you can deploy individual certs for each user and that will bypass the password change but there are other drawbacks to that - #1 they may not be able to email attachements.<br /><br />#2 I have not found an automated method of deploying profiles with individual certificates.<br /><br />and for Gino<br /><br />you can email the configuration profile to people and they can just click on it to install it. I have done this many times, you just need to have some other email account on the phone already.<br /><br />BWAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-25579535884490919752012-01-18T03:22:00.454-08:002012-01-18T03:22:00.454-08:00Hi Jeff,
2012 and your article is still very use...Hi Jeff, <br /><br />2012 and your article is still very useful! Congratulations.<br /><br />Our problem is with the passwords. We define an expiration time of 1 month for the user's passwords in AD. Each time the password is expired and user change it, if they don't do the same in the iPhone/iPad (relatively fast) the account is blocked because of the attemps to connect of the device with Exchange.<br /><br />Is there a way to avoid change password manually in the device if it is changed yet?<br /><br />Thanks in advance.Juan Carlosnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-37121528016151454062011-12-16T07:37:09.610-08:002011-12-16T07:37:09.610-08:00Hi Gino,
You must deploy the certificate with ICU...Hi Gino,<br /><br />You must deploy the certificate with ICU. That's the way that the iPhone will use that certificate with the exchange ActiveSync profile. <br /><br />You must deploy the CER file with the iPhone, the PFX file is for the ICU.Jeff Guillet - @exptahttps://www.blogger.com/profile/05278298222887921824noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-43664871540229707052011-12-16T07:08:17.314-08:002011-12-16T07:08:17.314-08:00Thank you for this Jeff.
Question. Is there a wa...Thank you for this Jeff.<br /><br />Question. Is there a way to deploy the certificates to the phones without ICU? Just by sending it in an email? Also, do you use the .pfx cert for the client phones, or the .cer?<br /><br />Thank you. Gino DiCarloGino DiCarlohttp://gdicarlo1.comnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-68083749407489992952011-11-08T13:24:27.621-08:002011-11-08T13:24:27.621-08:00btw, I've tried it with iphone configuration u...btw, I've tried it with iphone configuration util 3.4. Everything seems fine but the phone would not connect to Exchange at all even all the profiles installed correctly. <br /><br />I had to put 3.3 back, re-export the activesync profile, etc to make it work. <br /><br />Anyone else experiences this?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-78870300823274798652011-10-28T13:56:37.626-07:002011-10-28T13:56:37.626-07:00Sorry, I can't help you with Android devices. ...Sorry, I can't help you with Android devices. They all implement (or not) EAS differently. Basically, it should work as long as you have installed the client cert on the device and can configure your email settings to use that certificate. I'm not sure you can get Android to do that.Jeff Guillet - @exptahttps://www.blogger.com/profile/05278298222887921824noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-40090722749362699852011-10-28T13:21:32.843-07:002011-10-28T13:21:32.843-07:00Hi Jeff, thanks for the writeup, it works great.
...Hi Jeff, thanks for the writeup, it works great.<br /><br />I've tried to use the ActiveSyncUser.cer or pfx on an Android 2.2 device. The certificate was installed ok but ActiveSync won't work. Would you happen to know what to check?<br /><br />all the iphone users have no problem.TheGeekCooknoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-45850744731879266742011-10-04T06:12:18.616-07:002011-10-04T06:12:18.616-07:00If they do not accept the policy they will not be ...If they do not accept the policy they will not be able to connect!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-49819480492298543092011-10-03T19:24:56.687-07:002011-10-03T19:24:56.687-07:00Jeff, this looks very interesting. Does any reade...Jeff, this looks very interesting. Does any reader know whether there is a way to use OTA deployment to deploy mandatory security policies to the iPad? Our IT department reported back to me that the user was always given a choice as to whether to accept the policy. Clearly, to enforce mandatory policy, the user should not be given a choice.<br /><br />As we have only 20 devices, we do not wish the expense or overhead of a mobile management solution. We'd just like to work with the Microsoft IIS/Exchange/Sharepoint infrastructure we've got.<br /><br />Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-86389457771624900812011-06-14T10:51:05.825-07:002011-06-14T10:51:05.825-07:00Hi Jeff,
The Apple iPhone Configuration Utility ...Hi Jeff,<br /> <br />The Apple iPhone Configuration Utility requires that the user certificate includes the private key. There's no way around this in any current version of the utility.Jeff Guillet - @exptahttps://www.blogger.com/profile/05278298222887921824noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-15543080090400194682011-06-14T10:44:45.426-07:002011-06-14T10:44:45.426-07:00We are interested in setting up EAS on iPhones usi...We are interested in setting up EAS on iPhones using client certificates, however as a general rule we do not allow private keys to leave the device that generated them.<br /><br />To get around this on our iPhones, we currently use SCEP to enroll certs directly on the devices for 802.11x access. Ideally, we'd like to use this cert that is already in the iPhone's certificate store for EAS as well. However, I'm having trouble finding a way to tell the iPhone to use that cert. Any suggestions?<br /><br />JeffAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-72540410636924213482011-06-08T19:46:29.879-07:002011-06-08T19:46:29.879-07:00Thanks Jeff for the useful articles.
I've mana...Thanks Jeff for the useful articles.<br />I've managed to get most of this working, however I'm using Exchange 2010 and FTMG which has presented it's own challenges. Configuring FTMG and Exchange 2010 for Kerberos Constrained Delegation doesn't get much time on the Technet website. There is plenty of good info out there for ISA 2006 from Technet and Thomas Schindler, but if anyone knows where to locate good info for FTMG, please let me know.<br /><br />I get an error on my TMG saying "12302 The server denied the specified Uniform Resource Locator (URL). The iPhone says it was unable to connect to the server.<br />As a test, I created a second listener and publishing rule that uses this listener. They are configured to require SSL, and client certs. Authentication delegation is set to Kerberos Constrainied Delegation and the SPN is http/mymailserver.mydomain.com. The Test Rule button works. The listener uses a cert with my external DNS name (ame cert used for OWA etc which do work on a different listener), and authentication is set to SSL Client Certificate Authentication. If I click Advanced, only the SSL client certificate timeout checkbox is ticked. (if I check Require SSl client certificate, my ActiveSync connection fails and TMG logs say that the client needs a valid certificate, however I have put a cert in th config profile (with private key) and copied same cert (without private key) to the user's AD account).<br /><br />If you have any ideas that you think may help, or if anyone knows of somewhere with instructions for TMG and Exchange 2010, I'd love to hear.<br /><br />Cheers<br /><br />RobAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-39341844392678138892011-04-01T10:12:25.116-07:002011-04-01T10:12:25.116-07:00Hi George and Kal,
Both of your questions are rel...Hi George and Kal,<br /><br />Both of your questions are related. My earlier testing showed that the certificates need to be updated in AD and on the devices. That's why I recommend using certificates with very long expirations (5-10 years). Most people will update their phones before then.Jeff Guillet - @exptahttps://www.blogger.com/profile/05278298222887921824noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-66863720795061042952011-04-01T10:05:43.359-07:002011-04-01T10:05:43.359-07:00Hi Jeff,
One year on, still going ok. But I'v...Hi Jeff,<br /><br />One year on, still going ok. But I've noticed that our ActivesyncUser.cer cert expires on 15/05/2011!<br /><br />What happens after then? Will we have to reconfigure all our devices?Kalnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-11392884852159773592011-03-31T23:38:16.439-07:002011-03-31T23:38:16.439-07:00Hello Jeff: We have deployed your solution in prod...Hello Jeff: We have deployed your solution in production and it works very well. It is best to use Standalone CA as ActiveSyncUser certificates are valid for one year where as certificates issued by Enterprise CA are valid for 5 weeks. <br /><br />What is your recommendation to deploy new certificates to iPhones when the certs expire? Should we have to go through the same installation process again? <br /><br />Thanks for your great work!!<br />George Thomas/Melbourne/AustraliaAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-12065551469871812522011-03-01T16:45:09.501-08:002011-03-01T16:45:09.501-08:00This is a great set of articles, and goes a long w...This is a great set of articles, and goes a long way to simplfying the complexity of configuring iOS devices with certificate auth.<br /><br />However, I think it's fair to say I would never be comfortable implementing this solution in an enterprise where devices number in the 100s or 1,000s.<br /><br />The process of requesting certificates is manual, plus you have to manage the private key (passwords) for these files so they can be integrated into iPCU. In addition, once the profile is deployed, you then have to manage the renewal of these certificates when the certificate expires (eg. every 12 months or so). Recalling the entire fleet or managing the deployment of a new profile across thousands of machines would get tiresome fairly quickly.<br /><br />In addition, you made mention of the reverse proxy scenarios. It's worth pointing out you can do the authentication of the client certificates directly on the ISA/TMG servers (in the DMZ), but they need to be joined to the AD domain..... which are a lot aren't.<br /><br />Alternatively, you can proxy the auth request to the CAS servers on the internal network as you've suggested, but a lot of enterprises would prefer the entire authentication to take place in the DMZ... not on the internal network.<br /><br />I like the solution at a high-level. I'd just prefer a 3rd party offering that automates some of the manual steps.... and generally tidies it up. Does anyone know of one?<br /><br />Regards, <br /><br />James Frost.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-7852726454035519882011-01-10T23:52:56.657-08:002011-01-10T23:52:56.657-08:00Hello Jeff,
Greetings from Melbourne, Australia. T...Hello Jeff,<br />Greetings from Melbourne, Australia. Thank you very much for your great article series. It was very useful and I could make it all work as you stated.<br /><br />One other challenge for me is to connect Iphone to our wireless network using NPS and certificate authentication. I have tried a lot but no win.<br /><br />Any help/advice is much appreciated.<br />Thanks & regards<br />George Thomas<br />Email: george.thomas@bigpond.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-18328027748884025642010-12-02T22:21:19.946-08:002010-12-02T22:21:19.946-08:00Hi Jeff,
Thank you for this awesome set of instru...Hi Jeff,<br /><br />Thank you for this awesome set of instructions.<br /><br />However I'm still experiencing issues publishing Exchange 2007 SP2 ActiveSync with a TMG server in a DMZ (not on the Domain). I've set the Listener to require client certificates and set HTTP Authentication with Basic checked. The CAS box has Require client certificate checked and SSL enabled. It should work, but it isn't. Any chance of creating a Step 7 to fully explain this scenario?<br /><br />Thanks.Morgannoreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-18574458746385463312010-09-11T11:44:56.729-07:002010-09-11T11:44:56.729-07:00OK, we know that EAS functions OK. Which version o...OK, we know that EAS functions OK. Which version of Exchange are you running? Send me an email (jeff at expta dot com) and we'll take this offline.Jeff Guillet - @exptahttps://www.blogger.com/profile/05278298222887921824noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-17359174274149021002010-09-11T11:22:59.739-07:002010-09-11T11:22:59.739-07:00Jeff,
The normal EAS configuration works fine whe...Jeff,<br /> The normal EAS configuration works fine when I turn off require client certificates on my CAS. I am able to retrive my email on the iphone without a problem. Now the only cert in use during this is one that I have from Verisign for SSL traffic. It is the one used for OWA for our webmail users in our environment. I do not have a reverse proxy like TMG or ISA. I only have a Cisco ASA as a firewall but if SSL is already allowed I don't see that being an issue. I am thinking it has to do with the cert somehow but i don't know what to look for. I followed everything you posted and everything seemed to work up until this point. Now I am stuck.Unknownhttps://www.blogger.com/profile/05934816167821005239noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-79236728455472356902010-09-10T17:48:25.571-07:002010-09-10T17:48:25.571-07:00Sean, you need to troubleshoot where it's brea...Sean, you need to troubleshoot where it's breaking. Does the normal EAS config work when client certs are not required? Are you using a reverse proxy, like TMG or ISA?Jeff Guillet - @exptahttps://www.blogger.com/profile/05278298222887921824noreply@blogger.comtag:blogger.com,1999:blog-798194812750898417.post-70427064959681408542010-09-10T15:16:45.836-07:002010-09-10T15:16:45.836-07:00For the Exchange ActiveSync Host I have the FQDN o...For the Exchange ActiveSync Host I have the FQDN of the Exchange Client Access Server. For Example Servername.companyname.com SSL is enabled I have the user name in there allong with the email address username@companyname.com and the password field is left blank. Under Authentication Credential Name I have my imported certificate the one which requires you enter the password you provided in I believe phase 1 and of course the Include Authentication Credential Passphrase option checked. Am I missing anything here?Unknownhttps://www.blogger.com/profile/05934816167821005239noreply@blogger.com