SOLUTION: Exchange Active Sync with Certificate Authentication does not Work with Standalone CA

Problem:

Exchange Active Sync with Certificate Authentication does not Work with Standalone CA

For Exchange 2010 and Windows 2008 R2

Symptoms:

You configured Active Sync with certificate authentication. Get client certificates from stand alone CA, installed certs to phone but it cannot connect and prompts password.

For troubleshooting you install certificate with private key to PC connect  with internet explorer to url  https://eas.contoso.com/microsoft-server-activesync. Browser prompts cert and you select client cert. Then you got the following error: HTTP Error 401.2 – Unauthorized. You can see the same http error in IIS log too.

HTTP Error 401.2 – Unauthorized You are not authorized to view this page due to invalid authentication headers. Detailed Error Information Module IIS Web Core Notification AuthenticateRequest Handler AirSyncHandler Error Code 0×80070005

Requested URL https:// eas.contoso.com:443/Microsoft-Server-ActiveSync/default.eas Physical Path C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\sync\default.eas Logon Method Not yet determined Logon User Not yet determined

Cause:

IIS 7.5 cannot map client authentication certificate to the user account in Active Directory

Resolution:

1-Using MMC certificate snap in, export the user cert to cer file  usercert.cer file. (cert without private key. only contains public key.)
2-Start Active Directory Users and Computers. From view Menu select Advanced Features 3-Right click the user select Name Mappings…
4-X-509 certificates tab click Add and select usercert.cer file and click OK.

Now if  you connect to https://eas.contoso.com/microsoft-server-activesync you got  HTTP Error 505.0 – Http Version Not Supported

which means EAS connection is successful. Go ahead and try with your phone, it should work.

More Information:

One common mistake to add cert to Published Certificates tab of the user. IIS cert mapping does not use this tab.

Mostly Active Directory Integrated Certificate Authority is used in technical documents and blogs about Exchange EAS Certificate Authentication. Using Active Directory Integrated CA solves cert publishing to AD operation automatically. But you may have stand alone CA in you enterprise or you may prefer to buy client certs from Public CA companies. This post may help in those cases.

If you enable account logon /log off audit (that helped me a lot)  in Default Domain Controllers  policy you will see the following event in domain controllers security event log:

Log Name:      Security Source:        Microsoft-Windows-Security-Auditing Date:          26.11.2012 14:03:32 Event ID:      4768 Task Category: Kerberos Authentication Service Level:         Information Keywords:      Audit Failure User:          N/A Computer:      TESTEXC.internal.contoso.com Description: A Kerberos authentication ticket (TGT) was requested.

Account Information:  Account Name:  X509N:CN=usertest1  Supplied Realm Name: contoso.com  User ID:   NULL SID

Service Information:  Service Name:  krbtgt/internal.contoso.com  Service ID:  NULL SID

Network Information:  Client Address:  ::1  Client Port:  0

Additional Information:  Ticket Options:  0×40810010  Result Code:  0×6  Ticket Encryption Type: 0xffffffff  Pre-Authentication Type: -

Certificate Information:  Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. Event Xml: http://schemas.microsoft.com/win/2004/08/events/event“>           4768     0     0     14339     0     0×8010000000000000     <TimeCreated SystemTime=”2012-11-26T12:03:32.102084800Z” />     3326619             Security     TESTEXC.internal.contoso.com             X509N:<S>CN=usertest1     internal.contoso.com     S-1-0-0     krbtgt/internal.contoso.com     S-1-0-0     0×40810010     0×6     0xffffffff     –     ::1     0

Result Code: 0×6 means 0×6 – KDC_ERR_C_PRINCIPAL_UNKNOWN: Client was not found in Kerberos database and  domain controller cannot find the account name in Active Directory.( See: http://networkadminkb.com/KB/a363/how-to-troubleshoot-event-id-4768-audit-failure.aspx)

The obivous reason is IIS cannot find/map the user with the supplied certs in AD and DC returns user not found.

About these ads
Gallery | This entry was posted in Active Sync, Exchange Server and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s