Configuring Certificate-Based Authentication for Exchange 2010 ActiveSync (Part 2)

If you would like to read the first part in this article series please go to Configuring Certificate-Based Authentication for Exchange 2010 ActiveSync (Part 1).

Introduction

In part one of this article, we configured our certificate authority to allow an Administrative user to request certificates on behalf of users, then configured ActiveSync on Exchange 2010 to accept certificate-based authentication from users.

Next, in this final part of the series, we’ll examine how to request and issue certificates on behalf of end-users, then look at how to configure two common mobile devices – iOS devices from Apple and Android devices using NitroDesk’s Touchdown for certificate-based authentication.

Issuing certificates for users

Before we can configure mobile devices for certificate based authentication, we need to enrol and issue certificates to end-users. A user can perform this task themselves, but using the Enrollment Agent certificate we created for our Administrative user in part one of this article, we can request the certificate from an administrative workstation ready to deploy to the device itself.

First, we’ll open up the Certificates MMC snap-in as used in part one of this article, from the same administrative workstation we used to request the Enrollment Agent certificate (or a workstation or server that’s had that certificate imported). Just to recap, we’ll open that MMC snap-in using the following steps:

• Open a blank MMC using Start>Run and entering mmc.exe
• From the file menu of the MMC, choose Add/Remove Snap-In
• Select Certificates from the list of Available Snap-Ins
• When prompted, select to manage certificates for the Current User.

Next, we’ll go ahead and request certificates on behalf of the end users we wish to deploy mobile devices that utilize certificate-based authentication for, using the Enrol On Behalf Of option in the Certificates snap-in:

Figure 1: Enrolling a certificate on behalf of a user

We’ll then be guided through the certificate enrolment wizard, choosing the following options:

• Select the Active Directory Enrollment Policy.
• Choose the Enrollment Agent Certificate that was issued to the Administrative user.
• Request a User certificate.
• Select the user you wish to request the certificate for.

After requesting certificates for the users we’re going to deploy certificate-based authentication for, we can then check in Active Directory to determine whether or not the certificate has been published to users. This is important to verify, as publishing the certificate ensures that the certificate is linked to the user correctly and will work for certificate-based authentication.

We can check this by navigating to Active Directory Users and Computers. Before we check the individual user, we’ll first switch on Advanced Features by selecting View>Advanced Features:

Figure 2: Viewing advanced options in ADUC

Next, we can examine the user account itself. On the Published Certificates tab, we should see the correct certificate listed:

Figure 3: Checking the user certificate is published in AD

If that certificate it listed, we should be good to go. If not, then the certificate can be imported from the Administrative workstation using the Add from Store option.

We can now move onto deploying the certificates to the end user devices. In the next two sections, we’ll look at how to deploy these to iOS and Android devices.

Deploying certificates to Apple iOS Devices

To make deployment of certificates to iOS devices straightforward, Apple make the iPhone Configuration Utility available to administrators. You can download the iPhone Configuration Utlity from here.

This tool can be used to create and manage Configuration Profiles which contain device settings for iOS devices (not just the iPhone). Configuration Profiles can contain settings for the following device settings:

• Passcode policies
• Device restrictions
• Wi-Fi settings
• VPN settings
• IMAP and POP email accounts
• ActiveSync accounts
• LDAP Directory Servers
• Internet Calendar servers and iCal subscriptions
• Homepage Web Links
• Certificate-based credentials
• Certificate enrolment and MDM server settings

For deployment, we’ve also got a number of options. In particular we have the ability to either create a generic profile for groups of users, or create a custom profile for individual users.

Configuration Proifles can be distributed either via Email, hosted on any web server, or deployed by connecting the device to an Administrative workstation. We’ll be creating an individual profile utilizing ActiveSync and Certificate settings for each user, and then deploying it by connecting the device to our workstation.

After downloading and installing the iPhone Confiugration Utility to the same administrative workstation that we’ve used to enrol certificates for users from, launch the utility and navigate to Configuration Profiles, then choose New:

Figure 4: Creating a new Configuration Profile

We’ll start with the General tab and enter in details including:

• The Name of the profile; for example the user’s email address.
• The Unique ID for the profile. Based on the example Apple show, you can use your domain name in reverse (for example org.msexchange or uk.co.exchangelabs) and then the user identity.
• Organization Name and friendly description of the profile.

Next, we’ll import and configure the end user’s certificate to use when authenticating to Exchange. Scroll down to the Credentials tab and choose Configure.

After choosing Configure, you’ll be able to import the end-user’s certificate to the Configuration Profile. During the process of importing the certificate, you’ll be prompted for a passphrase to use to export the certificate from Windows. Similar to exporting an SSL certificate from Exchange, you can enter an arbitrary password of your choosing here.

You’ll then enter that password into the iPhone Configuration Utility so that the certificate can be automatically installed onto the device, as shown below:

Figure 5: Importing credentials

Next, scroll up to Exchange ActiveSync. First, enter the Display name for the ActiveSync account, along with the Exchange server name (in our example certmail.exchangelabs.co.uk):

Figure 6: Configuring ActiveSync server settings

Then within the ActiveSync settings enter the user details, including email address, username (either the Domain and Username, or just the User Principal Name (UPN).

Leave the Password blank – as we’ll be using the certificate for authentication, rather than a password, and finally we’ll select the certificate we imported in the last step under Identity Certificate:

Figure 7: Selecting the Identity Certificate

After completing configuration of the Configuration Profile, it’s now time to install it onto the device. Connecting an iOS device to the Administrative workstation shows a Devices item with the name of the connected device displayed. After choosing the device, select the Configuration Profiles tab and choose to Install the appropriate configuration profile on the iOS device:

Figure 8: Deploying the configuration profile to a device

On the device itself, you’ll be prompted to install the Configuration Profile. You’ll see that the initial prompt to install the profile details what will be re-configured on the device; in this case Certificate and Exchange Account:

Figure 9: Installation of a configuration profile on an iOS device

As the profile is pre-configured, you’ll only be prompted for the password, which can be left blank. Upon completing the installing, check mail is successfully synchronised to the device.

Deploying certificates to Android Devices

To deploy certificate-based authentication to Android-based devices, a different approach is required. Due to the differences in implementation of ActiveSync across different mobile devices manufacturers, one approach for all devices isn’t possible using the built-in ActiveSync clients provided.

However, you can utilise a third-party ActiveSync client. This will allow for a consistent end user experience, and allow a single approach to be used for implementing certificate-based authentication to Android devices. Although others are available, we’ll look at Nitrodesk’s TouchDown ActiveSync client, which is available from the Google Play store or via the Nitrodesk website.

However before we launch TouchDown, it’s necessary to import the certificate onto the Android device. To accomplish this, we’ll first export the certificate using the Certificates snap-in, being sure to export the private key along with the certificate:

Figure 10: Exporting a certificate

After exporting, we’ll then hook up the Android device to the Administrative workstation and copy the certificate PFX file across:

Figure 11: Copying the certificate to an Android Device

After copying the certificate to the Android device, we’ll then launch TouchDown and perform the initial configuration steps:

Figure 12: Confiugring the user account and Exchange Server settings

As shown above, the following options are chosen:

• Configure your account
• Enter the email address for the end user, leaving the password blank.
• Complete the username and server name.

If you’ve created the iOS Configuration Profile in the last section, then you’ll see these steps are pretty similar – just like the iOS devices, we won’t need the password to connect to the server.

However before we complete the configuration, we’ll need to import the certificate into TouchDown itself and complete the configuration:

Figure 13: Importing the certificate and testing functionality

As you’ll see above, we’ll then choose the Client Certs option on the Security Settings page of the wizard. This will prompt us for the client certificate, which upon successful import will be removed from the location it was copied to. Finally, after the configuration is complete, check mail is successfully synchronised to the device.

Summary

In part two of this article, we’ve went through the practical steps to deploy certificate-based authentication onto two of the most common mobile devices in use today, iOS and Android.

We’ve seen that on an individual device basis, this configuration is relatively straightforward. For larger implementations the use of dedicated Mobile Device Management (MDM) solutions can help accelerate this, and the techniques demonstrated in this article, along with the server-side configuration we’ve completed in part one of this series provide a solid foundation.

If you would like to read the first part in this article series please go to Configuring Certificate-Based Authentication for Exchange 2010 ActiveSync (Part 1).