Re: Cert auth EAS for Windows Phone 7

mattspierce_ · ‎01-13-2012

Has anyone gotten Certauth working through an SA appliance with Windows Phone 7. We currently service iOS and Android with our unit. I am not able to get a Windows Phone to work. I have an sa4500 running 7.1r5 code. I'm pointing my signin url to a vip for the Eachange 2010sp1 cluster(3 servers) I've seen folks give explicit instructions for configuring the client and server.

http://mobilitydojo.net/2010/05/20/securing-exchange-activesync-with-client-certificates-wan-access/

My config is mostly the same. The main difference though is that these instructions alwasy use a MS Forefront server as the RP. I'm of course not. Additionaly, in the config of the Forefront server, the instructions detail configuring Contrained Delegation to the Forfront AD object. This is to allow the ForeFront server to use the cert to auth to the Outlook Frontend Server. The SA doens't have any documentation for a similar capablity and instead forwards the authentication to the Frontend Server and then pass the response. I'm wondering if this is my issue. Windows Phone 7 is the only client I've heard of that can use clients certs to not only auth to the ReverseProxy, but all the way through to Exchange.

jspanitz_ · ‎01-13-2012

We had EAS working with Exchange 2007 with our Mag 4610s running 7.1. We did back it off due to other issues, but we had two devices that were syncing successfully.

mattspierce_ · ‎01-17-2012

Thanks for the reply. Just to be certain. Were you using client certificates on the devices and enforcing certificates in the SA's configuration? I just don't get why multiple other platforms work and Windows Phone isn't. Certs imported clean, they just are not used. One site mentioned having to trust the root and intermediate cert through the web browser but the email diaologs looked just like the web browser import diaolog. Both showed successful. Of course in the goal for minimalsm you can't actually look and see what certs are loaded that I can find.