The implementation of certificate distribution through AirWatch allows for the authentication of devices through client authentication certificates.

Utilizing certificate authentication eliminates the need for the device user to supply user credentials to authenticate for email access.

Organizations can use reverse proxies such as Microsoft’s Threat Management Gateway (TMG) to authenticate users and pass the traffic along to backend Exchange ActiveSync (EAS) servers. In order to accomplish this, Kerberos constrained delegation (KCD) is used to allow the TMG to delegate authentication to servers on the backend.

The AirWatch Secure Email Gateway (SEG) can be further harnessed to allow for additional controls in regards to which devices are allowed to sync mail.

The intent of this document is to discuss two configurations – TMG to EAS server and TMG to SEG to EAS server and define the configurations required in order to setup certificate authentication on a TMG to proxy request to backend EAS or SEG servers.

Threat Management Gateway

Forefront Threat Management Gateway is a secure web gateway that provides comprehensive protection against web-based threats by integrating multiple layers of protection. Forefront TMG acts as a reverse proxy in front of the EAS or SEG server and publishes traffic to the internal endpoints.

Kerberos Constrained Delegation

The Kerberos authentication protocol is used to confirm the identity of users that are attempting to access resources on a network.

Kerberos authentication uses tickets that are encrypted and decrypted by secret keys and do not contain user passwords. These tickets are requested and delivered in Kerberos messages. Two types of tickets are used: Ticket-Granting Tickets (TGTs) and Service tickets.

Kerberos constrained delegation provides a way for domain administrators to limit the network resources that a service trusted for delegation can access. This is accomplished by configuring the account (computer or domain account) under which the service is running to be trusted for delegation to a specific instance of a service running on a specific computer. Such a trust can also be applied to a set of specific instances of delegated services running on specific computers.

Each instance of a service that uses Kerberos authentication needs to have a Service Principal Name (SPN) defined for it so that clients can identify that instance of the service on the network.

The SPN is registered in the Active Directory Service-Principal-Name attribute of the Windows account under which the instance of the service is running. This way, the SPN is associated with the account under which the instance of the service specified by the SPN is running. When a service needs to authenticate to another service running on a specific computer, it uses that service's SPN to differentiate it from other services running on that computer.