Use certificates and Kerberos to authenticate instead of usernames and passwords.
Kerberos Constrained Delegation (KCD) eliminates the use of basic authentication for email. The devices receive certificates within their Exchange ActiveSync profile, instead of user name and password authentication for email. SEG uses the unique user certificate to request secure Kerberos tickets from the domain controller and embeds these tickets with the ActiveSync request to Exchange. In this way, authentication and authorization is secured by Workspace ONE UEM powered by AirWatch, while also providing a seamless user experience.
The following diagram shows a typical SaaS deployment.
It is not required that the PKI infrastructure should be part of the domain.
Requirements for Using the Client Certificate Authentication
Before configuring the SEG to use client certificate authentication, meet the following pre-requisites.
- Windows Server (2008 R2 or higher)
- Certificate Authority (CA) integrated with Workspace ONE UEM to issue certificates to your mobile devices. In this documentation, Microsoft is used as an example for a CA. However, Workspace ONE UEM supports certificates from multiple CAs.
-
A trust relationship between the CA and the Directory Services server.
- A domain service account to be used by SEG to impersonate the user and acquire the Kerberos tickets.
- An ASA domain account to be used to represent the EAS server. This can either be a user account or a computer account. Refer to “Leveraging an ASA Credential Type” for more information.
- A Certificate Revocation List (CRL) for CA that is accessible over HTTP and CRL distribution point. For more information, see the Configure Certificate Revocation List over HTTP section in the Configure Secure Email Gateway (SEG) V2 for Kerberos Constrained Delegation (KCD) topic.
- Administrative access to the following in your enterprise environment:
- Active Directory (AD) Users & Computers
- Exchange ActiveSync (EAS) or Client Access Servers (CAS)
- Windows Server on which the SEG is installed
- Certificate Authority (CA)
Communication paths should be as noted below.
Source | Port | Protocol | Destination |
SEG | 80 | HTTP | CRL Distribution Point |
SEG | 88 | LDAP\kerberos | Domain Controller |
SEG | 80/443 | HTTP (S) | Exchange ActiveSync |
SEG | 443 | HTTPS | AW API |
AW | 443 | HTTPS | SEG |
Device | 443 | HTTPS | SEG |