In order for the SEG to authenticate the user’s device that is assigned to a particular certificate, Internet Information Services (IIS) on the SEG server must be configured to accept that certificate.

Set up Active Directory to Authenticate

  1. On the SEG Server, launch Internet Information Services (IIS) by selecting Start > Run.
  2. Type inetmgr and select OK. The IIS Manager window appears.
  3. In the left-hand Connections pane select the SEG server
  4. In the main pane, under the IIS section, double-click the Authentication icon.


  5. Select Active Directory Client Certificate Authentication. If this option is not available, see Install the Role in IIS.

  6. In the right-hand pane, select Enable.


Use the Configuration Editor to Set Up Email Authentication

  1. Click + to expand the Sites folder.
  2. Click + to expand the Default Web Site and display the email sever you want to configure.
    1. If you are using MS Server 2008 R2 or later, the Configuration Editor icon appears as shown in the screen below. This icon does not appear in older versions of MS Server. Select Microsoft-Server-ActiveSync and double-click the Configuration Editor icon. If applicable, proceed directly to step 3.

    2. If you are using Exchange ActiveSync (EAS) servers older than 2008 R2, you will need to be familiar with the use of appcmd.exe and run it from the command prompt.

    3. Open a command prompt by selecting Start > Run. In the dialog box type “cmd” and select OK. In the command prompt, type the following command:

      appcmd.exe set config "Microsoft-Server-ActiveSync" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost

      If you performed this step, then skip the remaining steps and advance to Setting up Secure Socket Layer (SSL).

  3. Navigate to system.webserver/security/authentication under Section.

  4. Select clientCertificateMappingAuthentication.


  5. Select True from the Enabled drop-down menu.


  6. Click Apply.


Set Up Secure Socket Layer (SSL)

If only certificate authentication is being used then you must configure Secure Socket Layer (SSL). Otherwise, if authentication other than certificates is used then you do not need to configure SSL.

  1. Select Microsoft-Server-ActiveSync, and then double-click SSL Settings.


  2. If only certificate authentication is allowed, select Require SSL and then Required. If other types of authentication are allowed, select Accept.

  3. Click Apply.


Adjust uploadReadAheadSize Memory Size

Since certificate based authentication uses a larger amount of data during the authentication process, some adjustments must be made in IIS configuration to account for the increased amount of data. This is accomplished by increasing the value of the uploadReadAheadSize. The following steps guide you through the configuration:

  1. Open a command prompt by selecting Start > Run.
  2. Type cmd and select OK. A text editor window appears.
  3. Increase the value of the uploadReadAheadSize from the default of 48KB to 10MB by entering the following commands:

    C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost

    C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost

    “Default Web Site” is used in the sample code above. If the name of the site has been changed in IIS then the new name needs to replace “Default Web Site” in the second command.

  4. Type the following command to reset the IIS:


Lastly, you must Configure Delegation Rights on the SEG Service Account.