Use certificates and kerberos to authenticate instead of usernames and passwords.
Kerberos Constrained Delegation (KCD) eliminates the use of basic authentication for email. The devices are issued certificates within their Exchange ActiveSync profile, instead of username and password authentication for email. SEG uses the unique user certificate to request secure Kerberos tickets from the domain controller, and embeds these tickets with the ActiveSync request to Exchange. In this way, authentication and authorization is secured by Workspace ONE UEM powered by AirWatch, while also providing a seamless user experience.
The following diagram shows a typical SaaS deployment.
It is not required that the PKI infrastructure should be part of the domain.
Requirements for Using the Client Certificate Authentication
Before configuring the SEG to use client certificate authentication, meet the following pre-requisites.
- A Windows Server (2008 R2 or higher)
- A Certificate Authority (CA) integrated with Workspace ONE UEM to issue certificates to your mobile devices. In this documentation, Microsoft is used as an example for a CA. However, Workspace ONE UEM supports certificates from multiple CAs.
A trust relationship between the CA and the Directory Services server.
- A domain service account to use as the Principal Identity with designated permission to impersonate users to the EAS service.
A Certificate Revocation List (CRL) for CA that is accessible over HTTP and CRL distribution point. For more information, see the Configure Certificate Revocation List over HTTP section in the Configure Secure Email Gateway (SEG) V2 for Kerberos Constrained Delegation (KCD) topic.
- Administrative access to the following in your enterprise environment:
- Active Directory (AD) Users & Computers
- Exchange ActiveSync (EAS) or Client Access Servers (CAS)
- Windows Server on which the SEG is installed
- Certificate Authority (CA)
Communication paths should be as noted below.
|SEG||80||HTTP||CRL Distribution Point|
|SEG||80/443||HTTP (S)||Exchange ActiveSync|