In order to authenticate the user’s device that is assigned to a particular certificate, Internet Information Services (IIS) must be configured to accept that certificate. For the configurations shown in this document, IIS can only be configured on either a SEG or EAS server. Where IIS resides is dependent on the configuration as follows.

  • If the configuration is TMG to EAS then you can configure IIS on the EAS server.
  • If the configuration is TMG to SEG to EAS then you can configure IIS on the SEG server.

This section discusses configuring IIS on the EAS server. If a SEG is included in your configuration, skip this step and advance to Configure IIS for Certificate Authentication with SEG.

First, you must enable Active Directory client certificate authentication in IIS.

  1. On the EAS server, launch Internet Information Services (IIS) by selecting Start > Run. In the dialog box type inetmgr and select OK. The IIS Manager window appears.
  2. In the left-hand Connections pane, select the EAS server.
  3. In the main pane, under the IIS section, double-click the Authentication icon.

  4. Select Active Directory Client Certificate Authentication.

  5. In the right-hand pane, select Enable.


  6. Once the above step is complete, restart the IIS Admin service from the Services console.

    Next, you must enable the client certificate in the Exchange Management Console.

  7. In the Exchange Management Console, expand Server Configuration and then select the Client Access Server that you want to configure.
  8. On the Exchange ActiveSync tab, right-click the Microsoft-Server-ActiveSync directory and choose Properties.
  9. On the Authentication tab, clear the Basic authentication (password is sent in clear text) checkbox and select the option Require client certificates.

    Next, you must enable client certificate mapping authentication.

  10. Click the + sign to expand the Sites folder.
  11. Click the + sign to expand the Default Web Site and display the email sever you want to configure.
    1. If you are using MS Server 2008 R2 or later, the Configuration Editor icon appears as shown in the screen below. This icon does not appear in older versions of MS Server. Select Microsoft-Server-ActiveSync and double-click the Configuration Editor icon. Skip step b & c, and go to step 3.

    2. If you are using Exchange ActiveSync (EAS) servers older than 2008 R2, you need to be familiar with the use of appcmd.exe and run it from the command prompt.

    3. Open a command prompt by selecting Start > Run. In the dialog box type cmd and select OK. In the command prompt, type the following command.

      appcmd.exe set config Microsoft-Server-ActiveSync -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:True /commit:apphost

  12. In the Section drop-down, navigate to system.webserver/security/authentication.
  13. Select clientCertificateMappingAuthentication.


  14. On the Enabled option, select True from the drop-down box.


  15. In the right-hand pane, select Apply.


    If only certificate authentication is being used then you must configure Secure Socket Layer (SSL). Otherwise, if authentication other than certificates is used then you do not need to configure SSL.

  16. Select Microsoft-Server-ActiveSync, and then double-click the SSL Settings icon.


  17. If only certificate authentication is allowed, then select Require SSL and select Required. If other types of authentication are allowed, select Accept.

  18. In the right-hand pane, select Apply.


    Next, you must adjust the uploadReadAheadSize memory size. Since certificate based authentication uses a larger amount of data during the authentication process, some adjustments must be made in IIS configuration to account for the increased amount of data. This is accomplished by increasing the value of the uploadReadAheadSize. The following steps guide you through the configuration.

  19. Open a command prompt by selecting Start > Run.
  20. Type cmd and select OK. A text editor window appears.
  21. Increase the value of the uploadReadAheadSize from the default of 48KB to 10MB by entering the following commands:

    C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/serverRuntime /uploadReadAheadSize:10485760 /commit:apphost

    C:\Windows\System32\inetsrv\appcmd.exe set config Default Web Site -section:system.webServer/serverRuntime /uploadReadAheadSize:10485760 /commit:apphost

    The Default Web Site is used. If the name of the site has been changed in IIS then the new name needs to replace Default Web Site in the second command.

  22. Type the following command to reset the IIS.