Problem:
Exchange Active Sync with Certificate Authentication does not Work with Standalone CA
For Exchange 2010 and Windows 2008 R2
Symptoms:
You configured Active Sync with certificate authentication. Get client certificates from stand alone CA, installed certs to phone but it cannot connect and prompts password.
For troubleshooting you install certificate with private key to PC connect with internet explorer to url https://eas.contoso.com/microsoft-server-activesync. Browser prompts cert and you select client cert. Then you got the following error: HTTP Error 401.2 – Unauthorized. You can see the same http error in IIS log too.
HTTP Error 401.2 – Unauthorized You are not authorized to view this page due to invalid authentication headers. Detailed Error Information Module IIS Web Core Notification AuthenticateRequest Handler AirSyncHandler Error Code 0×80070005
Requested URL https:// eas.contoso.com:443/Microsoft-Server-ActiveSync/default.eas Physical Path C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\sync\default.eas Logon Method Not yet determined Logon User Not yet determined
Cause:
IIS 7.5 cannot map client authentication certificate to the user account in Active Directory
Resolution:
1-Using MMC certificate snap in, export the user cert to cer file usercert.cer file. (cert without private key. only contains public key.)
2-Start Active Directory Users and Computers. From view Menu select Advanced Features 3-Right click the user select Name Mappings…
4-X-509 certificates tab click Add and select usercert.cer file and click OK.
Now if you connect to https://eas.contoso.com/microsoft-server-activesync you got HTTP Error 505.0 – Http Version Not Supported
which means EAS connection is successful. Go ahead and try with your phone, it should work.
More Information:
One common mistake to add cert to Published Certificates tab of the user. IIS cert mapping does not use this tab.
Mostly Active Directory Integrated Certificate Authority is used in technical documents and blogs about Exchange EAS Certificate Authentication. Using Active Directory Integrated CA solves cert publishing to AD operation automatically. But you may have stand alone CA in you enterprise or you may prefer to buy client certs from Public CA companies. This post may help in those cases.
If you enable account logon /log off audit (that helped me a lot) in Default Domain Controllers policy you will see the following event in domain controllers security event log:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 26.11.2012 14:03:32 Event ID: 4768 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: TESTEXC.internal.contoso.com Description: A Kerberos authentication ticket (TGT) was requested.
Account Information: Account Name: X509N:CN=usertest1 Supplied Realm Name: contoso.com User ID: NULL SID
Service Information: Service Name: krbtgt/internal.contoso.com Service ID: NULL SID
Network Information: Client Address: ::1 Client Port: 0
Additional Information: Ticket Options: 0×40810010 Result Code: 0×6 Ticket Encryption Type: 0xffffffff Pre-Authentication Type: -
Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. Event Xml: http://schemas.microsoft.com/win/2004/08/events/event“> 4768 0 0 14339 0 0×8010000000000000 <TimeCreated SystemTime=”2012-11-26T12:03:32.102084800Z” /> 3326619 Security TESTEXC.internal.contoso.com X509N:<S>CN=usertest1 internal.contoso.com S-1-0-0 krbtgt/internal.contoso.com S-1-0-0 0×40810010 0×6 0xffffffff – ::1 0
Result Code: 0×6 means 0×6 – KDC_ERR_C_PRINCIPAL_UNKNOWN: Client was not found in Kerberos database and domain controller cannot find the account name in Active Directory.( See: http://networkadminkb.com/KB/a363/how-to-troubleshoot-event-id-4768-audit-failure.aspx)
The obivous reason is IIS cannot find/map the user with the supplied certs in AD and DC returns user not found.
