Edward Cho
asked on
Exchange Certificate Based Authentication for iOS
Hello Everyone --
We are currently deploying certificates (CBA) for our environment and ran into an issue with iOS devices. For Android devices, we have exported the certificate (with private key) and installed it on the device for authentication. Within the client, you can specify the certificate you want to use.
Now we are trying to deploy it on iOS devices. We e-mailed the certificate to the iOS (10.3.2) device and installed it. It shows up as a certificate under Profiles. However, when we blank out the password under the mail account, it doesn't seem to be picking up the certificate in the native email client. We tried reinstalling the certificate as well as recreating the account from scratch.
Any ideas?
Thanks.
We are currently deploying certificates (CBA) for our environment and ran into an issue with iOS devices. For Android devices, we have exported the certificate (with private key) and installed it on the device for authentication. Within the client, you can specify the certificate you want to use.
Now we are trying to deploy it on iOS devices. We e-mailed the certificate to the iOS (10.3.2) device and installed it. It shows up as a certificate under Profiles. However, when we blank out the password under the mail account, it doesn't seem to be picking up the certificate in the native email client. We tried reinstalling the certificate as well as recreating the account from scratch.
Any ideas?
Thanks.
ASKER
This is related to authenticating via certificates instead of using ActiveSync usernames and passwords via a CA.
Our SSL certificate (attached to IIS) is secured via GoDaddy and do not experience "Cannot verify server identity" issues.
Our SSL certificate (attached to IIS) is secured via GoDaddy and do not experience "Cannot verify server identity" issues.
Which error do you have?
Do you use the App mail or Outlook?
Do you use the App mail or Outlook?
ASKER
We use the native iOS mail app for the iOS issued devices.
The message we get is : "The connection to the server failed."
When looking at the IIS logs for the CBA Exchange server, I see the following (443 error):
2017-06-01 17:27:38 172.30.255.6 POST /Microsoft-Server-ActiveSy nc/default .eas Cmd=Sync&User=slane%40**** *********. org&Device Id=android c191604863 7&DeviceTy pe=Android &Correlati onID=<empt y>;&cafeRe qId=574e71 fb-7bd2-4b 05-88ac-66 9b3c0fd128 ; 443 *********\slane 206.252.202.218 Android-Mail/7.5.7.1561013 32.release - 200 0 0 54
2017-06-01 17:30:20 172.30.255.6 OPTIONS /Microsoft-Server-ActiveSy nc/default .eas - 443 - 206.252.202.218 Apple-iPod7C1/1406.89 - 403 7 5 70
2017-06-01 17:31:58 172.30.255.6 OPTIONS /Microsoft-Server-ActiveSy nc/default .eas - 443 - 206.252.202.218 Apple-iPod7C1/1406.89 - 403 7 5 148
The message we get is : "The connection to the server failed."
When looking at the IIS logs for the CBA Exchange server, I see the following (443 error):
2017-06-01 17:27:38 172.30.255.6 POST /Microsoft-Server-ActiveSy
2017-06-01 17:30:20 172.30.255.6 OPTIONS /Microsoft-Server-ActiveSy
2017-06-01 17:31:58 172.30.255.6 OPTIONS /Microsoft-Server-ActiveSy
Hi Edward,
Do you have configured ActiveSync virtual directory?
Do you have configured ActiveSync virtual directory?
ASKER
Yes we do -- we have an Exchange 2016 CU5 server with ActiveSync (w/ Certificate Based Authentication enabled). It is working well with Samsung Galaxy S7/8 and Google Pixel phones. It is not working with any iOS devices.
Have you created a new web site and virtual directory for the cba clients, then issue certs for the users, install them on the devices, and set up the user profiles to use the certain for auth?
Cba site will need its own IP and NAT through your firewall, and its own URL and SSL cert. require client certs in IIS.
Source: https://www.reddit.com/r/exchangeserver/comments/5aryjo/question_can_outlook_for_ios_and_android_do_cba/
For Azure Active Directory, CBA will work if iOS is 9 or above and you have configured a federation server and you use Microsoft Authenticator.
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-ios
Cba site will need its own IP and NAT through your firewall, and its own URL and SSL cert. require client certs in IIS.
Source: https://www.reddit.com/r/exchangeserver/comments/5aryjo/question_can_outlook_for_ios_and_android_do_cba/
For Azure Active Directory, CBA will work if iOS is 9 or above and you have configured a federation server and you use Microsoft Authenticator.
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-ios
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found my own solution after trial and error.
The latest IOS versions, only work with external CA, you need to buy a certificate that all the devices will trust.
The error that you have in IOS somthing like "Cannot verified server identity", you have only the options: cancel or details?
Regards
Valentina