SOLUTION: Exchange Active Sync with Certificate Authentication does not Work with Standalone CA


Exchange Active Sync with Certificate Authentication does not Work with Standalone CA

For Exchange 2010 and Windows 2008 R2


You configured Active Sync with certificate authentication. Get client certificates from stand alone CA, installed certs to phone but it cannot connect and prompts password.

For troubleshooting you install certificate with private key to PC connect  with internet explorer to url Browser prompts cert and you select client cert. Then you got the following error: HTTP Error 401.2 – Unauthorized. You can see the same http error in IIS log too.

HTTP Error 401.2 – Unauthorized You are not authorized to view this page due to invalid authentication headers. Detailed Error Information Module IIS Web Core Notification AuthenticateRequest Handler AirSyncHandler Error Code 0x80070005

Requested URL https:// Physical Path C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\sync\default.eas Logon Method Not yet determined Logon User Not yet determined


IIS 7.5 cannot map client authentication certificate to the user account in Active Directory


1-Using MMC certificate snap in, export the user cert to cer file  usercert.cer file. (cert without private key. only contains public key.)
2-Start Active Directory Users and Computers. From view Menu select Advanced Features 3-Right click the user select Name Mappings…
4-X-509 certificates tab click Add and select usercert.cer file and click OK.

Now if  you connect to you got  HTTP Error 505.0 – Http Version Not Supported

which means EAS connection is successful. Go ahead and try with your phone, it should work.

More Information:

One common mistake to add cert to Published Certificates tab of the user. IIS cert mapping does not use this tab.

Mostly Active Directory Integrated Certificate Authority is used in technical documents and blogs about Exchange EAS Certificate Authentication. Using Active Directory Integrated CA solves cert publishing to AD operation automatically. But you may have stand alone CA in you enterprise or you may prefer to buy client certs from Public CA companies. This post may help in those cases.

If you enable account logon /log off audit (that helped me a lot)  in Default Domain Controllers  policy you will see the following event in domain controllers security event log:

Log Name:      Security Source:        Microsoft-Windows-Security-Auditing Date:          26.11.2012 14:03:32 Event ID:      4768 Task Category: Kerberos Authentication Service Level:         Information Keywords:      Audit Failure User:          N/A Computer: Description: A Kerberos authentication ticket (TGT) was requested.

Account Information:  Account Name:  X509N:CN=usertest1  Supplied Realm Name:  User ID:   NULL SID

Service Information:  Service Name:  krbtgt/  Service ID:  NULL SID

Network Information:  Client Address:  ::1  Client Port:  0

Additional Information:  Ticket Options:  0x40810010  Result Code:  0x6  Ticket Encryption Type: 0xffffffff  Pre-Authentication Type: –

Certificate Information:  Certificate Issuer Name:    Certificate Serial Number:   Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. Event Xml:“>           4768     0     0     14339     0     0x8010000000000000     <TimeCreated SystemTime=”2012-11-26T12:03:32.102084800Z” />     3326619             Security             X509N:<S>CN=usertest1     S-1-0-0     krbtgt/     S-1-0-0     0x40810010     0x6     0xffffffff     –     ::1     0

Result Code: 0x6 means 0x6 – KDC_ERR_C_PRINCIPAL_UNKNOWN: Client was not found in Kerberos database and  domain controller cannot find the account name in Active Directory.( See:

The obivous reason is IIS cannot find/map the user with the supplied certs in AD and DC returns user not found.

Gallery | This entry was posted in Exchange Server and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s