none
Deploying Exchange ActiveSync Certificate-Based Authentication RRS feed

  • 問題

  • Hi,

     

    We are running e-mail Direct Push from Exchange 2003 Front End server in internal Corp Net via ISA Server 2004 in DMZ to Windows Mobile PDA on the road through the Internet.  This is made with Basic authentication just with a built-in root CA certificate of a public CA.  I have a mission to strengthen security with implimenting Client Certificate-based authentication.  We have a testing environment with same version of Exchange 2003 FE and BE servers and ISA Server 2004.  We followed the document of Cert_based_Auth.doc given under CertAuthTool and have completed configuration changes in Active Directory.  Client Certificate enrollment to a Windows Mobile PDA has been successfully done.  However, we get the error 0x80072f7d in ActiveSync over the Internet in the WM PDA.  The document we followed describes with ISA Server 2006 version, therefore we are not sure whether we can continue with current version of ISA Server 2004 or not.  Would you please give any advice?

     

    Michiaki Sano

    2008年12月3日 下午 01:09

解答

  •  

    From experences, the configuration of the ISA 2006 & ISA 2004 publish the Exchange server is similar. your documents should be fine. It is the same of the main points to import the correct root cert. to the ISA server.

     

    Your problem seem to related to the cert or cofiguration issues. Please try to follow bwlow KB to test the activesync & review the ISA log.

    http://technet.microsoft.com/en-us/library/cc713316.aspx

     

     

    Also, The WM devices does not suppot the wildcard cert.

    2008年12月8日 上午 02:36
  •  

    Hi Michiaki,

     

    As Billy mentioned, the publish process is similar. The document should be OK. 0x80072f7d can be caused by a certificate issue. Please try create a new certificate and try again.

     

    Windows Mobile 5.0 does not support the use of wildcard certificates for device-to-server authentication. This restriction applies to all communications, including Exchange ActiveSync. Windows Mobile 6 supports wildcard certificates.

     

    For more information:

     

    Certificates for Windows Mobile 5.0 and Windows Mobile 6

     

    http://www.microsoft.com/technet/solutionaccelerators/mobile/maintain/SecModel/bd8cc6b6-0038-4e56-b1d4-b7b9af9ea6ef.mspx?mfr=true

     

    If the issue persists, as the issue is complicated and need more personal data collection, it maybe not the best way to resolve this kind of problem in forum. In order to resolve our issue more efficiently, I suggest contacting our CSS to submit a new case:

     

    http://support.microsoft.com/oas/default.aspx?acty=ProductList&ctl=productlist&wf=PID&trl=PID%7eProductList&c1=508&ln=en-hk&prid=6384&gprid=35177

     

    Thank you,

     

    Elvis

     

     

     

     

     

     

    2008年12月8日 上午 06:11
  • Hi Elvis,

     

    0x80072f7d is caused by a certificate issue - thanks for clarification.

     

    Actually, I purchased a paid incident and I was advised to post a question here by an e-mail reply.  However, we noted later that my insident was not activated.  My collegue in Hong Kong office called Microsoft and clarified this misunderstanding.  We have just started working with an Enterprise Messaging Suppor Engineer, APGC CSS, Microsoft.

     

    Thanks for advice!

     

    2008年12月8日 上午 10:20

所有回覆

  •  

    From experences, the configuration of the ISA 2006 & ISA 2004 publish the Exchange server is similar. your documents should be fine. It is the same of the main points to import the correct root cert. to the ISA server.

     

    Your problem seem to related to the cert or cofiguration issues. Please try to follow bwlow KB to test the activesync & review the ISA log.

    http://technet.microsoft.com/en-us/library/cc713316.aspx

     

     

    Also, The WM devices does not suppot the wildcard cert.

    2008年12月8日 上午 02:36
  •  

    Hi Michiaki,

     

    As Billy mentioned, the publish process is similar. The document should be OK. 0x80072f7d can be caused by a certificate issue. Please try create a new certificate and try again.

     

    Windows Mobile 5.0 does not support the use of wildcard certificates for device-to-server authentication. This restriction applies to all communications, including Exchange ActiveSync. Windows Mobile 6 supports wildcard certificates.

     

    For more information:

     

    Certificates for Windows Mobile 5.0 and Windows Mobile 6

     

    http://www.microsoft.com/technet/solutionaccelerators/mobile/maintain/SecModel/bd8cc6b6-0038-4e56-b1d4-b7b9af9ea6ef.mspx?mfr=true

     

    If the issue persists, as the issue is complicated and need more personal data collection, it maybe not the best way to resolve this kind of problem in forum. In order to resolve our issue more efficiently, I suggest contacting our CSS to submit a new case:

     

    http://support.microsoft.com/oas/default.aspx?acty=ProductList&ctl=productlist&wf=PID&trl=PID%7eProductList&c1=508&ln=en-hk&prid=6384&gprid=35177

     

    Thank you,

     

    Elvis

     

     

     

     

     

     

    2008年12月8日 上午 06:11
  • Hi Billy,

     

    Thank you very much for your input!  The information you provided in the URL is helpful with in detailed explanatoin.  The testing environment was working with Basic Authentication and ActiveSync just with Root CA certificate is running in our production system today.  What we are trying to implement is Certificate-Based Authentication which requires to enroll device (client) certificate in each Windows Mobile PDA/Smartphone.  Yes, I will follow your advice that we should keep trying with current ISA Server 2004 version.

    2008年12月8日 上午 10:06
  • Hi Elvis,

     

    0x80072f7d is caused by a certificate issue - thanks for clarification.

     

    Actually, I purchased a paid incident and I was advised to post a question here by an e-mail reply.  However, we noted later that my insident was not activated.  My collegue in Hong Kong office called Microsoft and clarified this misunderstanding.  We have just started working with an Enterprise Messaging Suppor Engineer, APGC CSS, Microsoft.

     

    Thanks for advice!

     

    2008年12月8日 上午 10:20