Integrate the Microsoft Exchange Client Access Server (CAS) and Workspace ONE UEM to allow a device to connect to Microsoft Exchange ActiveSync (EAS) using a certificate for authentication.

Prerequisites

  • Set up a certificate authority server and configure it. Ensure that the CA is an Enterprise CA as opposed to a Stand Alone CA. The Stand Alone version does not allow for the configuration and customization of templates.
    Note: A Network Device Enrollment Service, also referred to as MSCEP server setup. NDES is only available in the Enterprise version of Microsoft Server 2008 and 2008 R2.
  • Enable Microsoft Exchange with ActiveSync.
  • Cofigure Internet Information Services (IIS) on the EAS server with the option Client Certificate Mapping Authentication installed.

Procedure

  1. Set up a trust between active directory and the certificate authority, eas with NDES-MSCEP.
    1. On the Certificate Authority server, select Start > Run.
    2. Type MMC in the dialog box and press Enter to launch the Microsoft Management Console (MMC).
    3. Click File > Add/Remove Snap-in… from the MMC main menu.
    4. Select Enterprise PKI from the list of available snap-ins and then select Add.
    5. Click OK.
    6. Right-click Enterprise PKI and select Manage AD Containers.
    7. Select the NT AuthCertificates tab and verify the Certificate Authority is listed. If not, select Add to add the Certificate Authority to the group.
    8. Click OK.
  2. Set permissions on Microsoft Exchange server.
    1. Update certificate authentication on Exchange.
      1. On the Exchange server, select Start > Run.
      2. Type inetmgr in the dialog box to run Internet Information Services (IIS).
      3. Select the server in the Connections pane.
      4. Under IIS, double-click the Authentication icon.

      5. Select Active Directory Client Certificate Authentication and then select Enable.
    2. Update the configuration editor.
      1. Select + to expand Site and then Default website to display all available configuration editors.
      2. If you are using MS Server 2008 R2 or later, the Configuration Editor icon appears. Select Microsoft-Server-ActiveSync and double-click on the Configuration Editor icon.

        If you are using Exchange servers older than 2008 R2, be familiar with the use of appcmd.exe and run it from the command prompt.If you are using Exchange servers older than 2008 R2, be familiar with the use of appcmd.exe and run it from the command prompt.

        Open a command prompt by selecting Start > Run. Type cmd in the dialog box and select OK. In the command prompt, type the following command. appcmd.exe set config "Microsoft-Server-ActiveSync" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost

        You can skip to the secure socket layer step.

      3. Navigate to system.webserver > security > authentication in the Section drop-down menu.
      4. Select clientCertificateMappingAuthentication.

      5. Select True from the drop-down menu on the Enabled option.
    3. Set up secure socket layer.
      If only certificate authentication is being used, then you must configure Secure Socket Layer (SSL).
      1. Select Microsoft-Server-ActiveSync, and then double-click the SSL Settings icon.

      2. Select Accept if other types of authentication are allowed. If only certificate authentication is allowed, then select the Require SSL check box and then select Required.
    4. Adjust uploadReadAheadSize memory size.

      Since certificate-based authentication uses a larger amount of data during the authentication process, you must increase the value of the uploadReadAheadSize from 48 KB to 10 MB to account for the increased amount of data.

      1. Open a command prompt by selecting Start > Run.
      2. Type cmd in the dialog box and select OK.
      3. If the name of the site has been changed in IIS, then replace Default Website with the new name in the second command.

      4. Perform an IIS reset by entering iisreset.
  3. Configure certificate authority and template in Workspace ONE UEM.
    1. Configure the certificate authority (CA).
      1. Open the Workspace ONE UEM console.
      2. Login as a user with a minimum of Workspace ONE UEM administrator privileges.
      3. Navigate to Devices > Certificates > Certificate Authorities.
      4. On the Certificate Authorities tab, select Add.
      5. Select Generic SCEP from the Authority Type drop-down menu.
      6. Complete the following options.
        Setting Description
        Name Enter the name of the CA to which the NDES/SCEP/MSCEP endpoint is connected. Find the name by launching the Certification Authority application on the CA server.
        SCEP URL Enter the URL of the CA server.
        Challenge Type The Static item requires you to enter an authentication phrase consisting of a key or password used to authenticate the device with the certificate enrollment URL.
      7. Click Test Connection.

        If you select Save prior to Test Connection, a Test is unsuccessful error displays.

      8. Select Save.
    2. Configure the request template.
      1. Navigate to Devices > Certificates > Certificate Authorities and select the Request Templates tab.
      2. Select Add and complete the settings.
        Setting Description
        Name Enter any name that helps to identify this template.
        Certificate Authority Select the CA you configured earlier in this process.
        Subject Name

        Enter the Distinguished Name (DN) for the template. The text entered in this field is the “Subject” of the certificate. The network admin can use the DN to determine who or what device received the certificate.

        A typical entry in this field is CN=WorkspaceONEUEM.{EnrollmentUser}” or “CN={DeviceUid}. The {} fields are Workspace ONE UEM lookup values.

        Private Key Length This entry is often 2048 and matches the setting on the certificate template that NDES/SCEP/MSCEP use.
        Private Key Type This entry matches the setting on the certificate template that NDES/SCEP/MSCEP use.
        SAN Type > Add Include one or more Subject Alternate Names (SAN) with the template. SANs are used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server.

        Use the drop-down menu to select the SAN Type and enter the subject alternate name in the corresponding data entry field. Each field supports lookup values.

        Automatic Certificate Renewal Set certificates using this template to automatically renew prior to their expiration date. Specify the Auto Renewal Period in days and make sure the Assignment type is set to Auto.
        Publish Private Key Publishes the private key to the specified web service endpoint (Directory Services or custom web service).
      3. Save your settings.
  4. Create and deploy the Workspace ONE UEM profile that pushes the Exchange Server settings to the device.
    This profile contains the information necessary for the device to connect to Exchange, as well as the certificate that the device uses to authenticate.
    1. In the Workspace ONE UEM console, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile.
    2. Select the applicable device platform to launch the Add a New Profile dialog.
    3. Configure the General settings for the profile.

      The General settings determine how the profile is deployed and who receives it as well as other overall settings.

    4. Select Credentials from the profile options at left and then select Configure.
      Setting Description
      Credential Source Select Define Certificate Authority.
      Certificate Authority Select the certificate authority you created previously.
      Certificate Template Select the certificate template you created previously.
    5. Select Exchange ActiveSync from the profile options at left and then select Configure.
      Setting Description
      Account Name Enter a name that helps identify this payload. This name displays on the device to indicate which email account is active so it should be accurately descriptive.
      Exchange ActiveSync Host Enter the actual endpoint of the mail server.

      Do not include http:// or https:// at the beginning and do not include /Microsoft-server-activesync at the end.

      Use SSL Select this option.

      Authentication using certificates fails over a non-SSL connection.

      Use S/MIE Unselect this option.
      Domain Enter the email domain for the user account.

      You can use Lookup Values that retrieve the text stored in the applicable field of the User Profile.

      Email Address Enter the email address of the user when on the device.

      You can use Lookup Values that retrieve the text stored in the applicable field of the User Profile.

      Payload Certificate Select the credential you created previously.
    6. Select Save or select Save and Publish to publish this profile to a device.

What to do next

Review some tips and troubleshooting steps for the integration.
  • You can confirm that the certificate is operational by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured Exchange ActiveSync endpoint. If the device does not connect and shows a message indicating the certificate cannot be authenticated or the account cannot connect to Exchange ActiveSync, then there is a problem in the configuration.
  • Ensure a certificate is being issued by the certificate authority to the device.
    1. Launch the certification authority application on the certificate authority server and browse to the issued certificates section.
    2. Locate the last certificate issued and verify it shows a subject matching the subject created when the certificate was generated in the Workspace ONE UEM console.

      If there is no certificate, then there is an issue with the certificate authority, client access server (e.g., ADCS), or the Workspace ONE UEM connection to client access server.

    3. Ensure the permissions of the client access server (e.g., ADCS) Admin Account is applied correctly to the certificate authority and the certificate template.
    4. Ensure the account information is entered correctly in the Workspace ONE UEM configuration.
  • If the certificate is being issued, ensure that it is in the profile and on the device.
    1. Navigate to Devices > Profiles > List View.
    2. Click to the right of the applicable Exchange ActiveSync profile to launch the Actions menu and select View XML.

    3. On the device, access the list of installed profiles.
    4. View details for the applicable profile and ensure the certificate is present.
    5. Confirm that the certificate contains the Subject Alternative Name (or SAN) section and within that section there is an Email and Principal name with the appropriate data. If this section is not in the certificate, then either the template is incorrect or the certificate authority has not been configured to accept SAN. Refer to the section on configuring the certificate authority.
    6. Confirm the certificate contains the Client Authentication in the Enhanced Key Usage section. If not present, then the template is not configured correctly.
  • If the certificate is on the device and contains the correct information, then the problem is most likely with the security settings on the Exchange ActiveSync server. Confirm the address of the Exchange ActiveSync server is entered correctly in the Workspace ONE UEM profile and that all security settings have been adjusted to allow certificate authentication on the Exchange ActiveSync server.

    A reliable test is to manually configure a single device to connect to the Exchange ActiveSync server using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect to Exchange ActiveSync with a certificate.