In order for Microsoft Exchange ActiveSync to authenticate a user from a certificate, it must first trust the source of the certificate.

  1. On the Certificate Authority server, select Start > Run.
  2. Type MMC in the dialog box and press Enter to launch the Microsoft Management Console (MMC).
  3. Click File > Add/Remove Snap-in… from the MMC main menu.
  4. Select Enterprise PKI from the list of Available snap-ins and then select Add.

  5. Click OK.

  6. Right-click Enterprise PKI and select Manage AD Containers.

  7. Select the NT AuthCertificates tab and verify the Certificate Authority is listed. If not, select Add to add the Certificate Authority to the group.
  8. Click OK.

Step 2: Set Permissions on Exchange Server

In order for devices to authenticate with Microsoft Exchange ActiveSync, you must configure several changes on the Exchange Server.

Certificate Authentication

  1. On the Exchange server, select Start > Run.
  2. Type inetmgr in the dialog box to launch Internet Information Services (IIS).
  3. Select the server in the left-hand Connections pane.
  4. Under IIS, double-click the Authentication icon.


  5. Select Active Directory Client Certificate Authentication and then select Enable.

Configuration Editor

  1. Click + to expand Site and then Default Web Site to display all available configuration editors.
    1. If you are using MS Server 2008 R2 or later, the Configuration Editor icon appears as shown below; Select Microsoft-Server-ActiveSync and double-click on the Configuration Editor icon. Skip steps 1. b & 1. c, and go directly to step 2.
    2. If you are using Exchange servers older than 2008 R2, you need to be familiar with the use of appcmd.exe and run it from the command prompt.
    3. Open a command prompt by selecting Start > Run. In the dialog box type cmd and select OK. In the command prompt, type the following command:

      appcmd.exe set config "Microsoft-Server-ActiveSync" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost

      If you performed this step, then skip the remaining steps and advance to Setting up Secure Socket Layer (SSL).


  2. Navigate to system.webserver/security/authentication in the Section drop-down menu.
  3. Select clientCertificateMappingAuthentication.


  4. Select True from the drop-down menu on the Enabled option.

Set Up Secure Socket Layer (SSL)

If only certificate authentication is being used, then you must configure Secure Socket Layer (SSL).

  1. Select Microsoft-Server-ActiveSync, and then double-click the SSL Settings icon.


  2. Select Accept if other types of authentication are allowed. If only certificate authentication is allowed, then select the Require SSL checkbox and then select Required.

Adjust uploadReadAheadSize Memory Size

Since certificate based authentication uses a larger amount of data during the authentication process, some adjustments must be made in IIS configuration to account for the increased amount of data. This is accomplished by increasing the value of the uploadReadAheadSize. The following steps guide you through the configuration:

  1. Open a command prompt by selecting Start > Run.
  2. Type cmd in the dialog box and select OK.
  3. Enter the following commands to increase the value of the uploadReadAheadSize from the default of 48KB to 10MB:

    C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/serverRuntime
                         /uploadReadAheadSize:"10485760" /commit:apphost
    C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/serverRuntime
                         /uploadReadAheadSize:"10485760" /commit:apphost

    “Default Web Site” is used. If the name of the site has been changed in IIS then the new name needs to replace “Default Web Site” in the second command.

  4. Enter the IIS Reset command to perform an IIS reset by entering the following command: