Certificate-based Authentication is ideal for ActiveSync devices because, if like most organizations, your users have to change passwords regularly, this can cause confusion and even account lockouts each time users change their password. If you provision devices centrally, using certificates rather than password can allow administrators to make sure ActiveSync devices will work without user intervention once they are out in the field. Finally, using certificate-based authentication helps ensure that end-users don’t connect personal devices to your organization – although features like ActiveSync device policies and quarantine features can help with this too.
Of course it’s not all simplicity when it comes to certificate-based authentication – the provisioning process is more complicated as the certificate needs to be on the device and configured correctly; a well-setup Exchange organization using password-based authentication benefits from AutoDiscover to allow end-users to easily setup their own devices by just using their email address and account username and password.
In part one of this article we’ll look at what’s involved in configuring Exchange to allow certificate-based authentication for ActiveSync devices including:
- A quick overview of the certificate authority we’ll be using for this multi-part article.
- How to allow administrators to request certificates on behalf of end-users to simplify provisioning.
- Configuring the underlying IIS features on each Exchange 2010 Client Access Server.
- Creating a second IIS site to optionally allow certificate-based authentication to be in use within your Exchange organization at the same time as password-based authentication.
- And, finally – enabling certificate-based authentication for ActiveSync.
In the second part of this series, we’ll then look at how to deploy certificate-based authentication for two different mobile device types; iOS devices like the iPhone, iPad and iPod touch and Android devices using Nitrodesk’s TouchDown ActiveSync client.