Configure Exchange 2013 Mobile login using certificate validation (certificate-based authentication)

Source: Internet
Author: User
Tags configuration settings

We all know that the mobile device connection server for an Exchange 2013 server uses SSL Basic authentication by default.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/7F/F6/wKioL1cy94nw_ T2naacmr90nrsa533.png "" 620 "height=" 384 "/>

Requirements Description:

Today, it is suggested that Exchange 2013 's mobile connection authentication method needs to be validated using a certificate. If the mobile client does not have a user certificate, the login mailbox is not run.

Advantage:

The advantage of configuring certificate validation is that a user certificate is used between the mobile client and the server to authenticate, and when the user password is changed or reset, the mail service of the mobile user is not affected, and the password is not prompted for re-entry after changing the password.

Precautions:

1. The subject name of the user certificate used by the mobile client must be the user Principal name (UPN) for that person.

2. The mobile client must trust the root certificate of the root authority of the Exchange server's certificate.

Configuration process: (For specific reference: https://blogs.technet.microsoft.com/exchange/2012/11/28/ configure-certificate-based-authentication-for-exchange-activesync/. )

The configuration process is described below.

1. Install "IIS client certificate mapping Authentication" on the Exchange CAS server.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F9/ Wkiom1cy9qvxhqbuaagxpxevsf8055.png "" 631 "height=" 388 "/>

2. Enable the IIS server Clientcertficatemappingauth.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F6/ Wkiol1cy94yhenfwaafu62haesg278.png "" 659 "height=" 304 "/>

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/7F/F6/wKioL1cy942zc71KAAB_2y_ Zdii294.png "" 664 "height=" 208 "/>

3. Enable the Clientcertficatemappingauth of the Microsoft-server-activesync virtual directory.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F6/wKioL1cy95HBBn1FAAEVmKT_ Zcq162.png "" 666 "height=" 371 "/>

4, the configuration Microsoft-server-activesync authentication mode is "needs to provide the client certificate".

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F9/ Wkiom1cy9rotw8wraacjfchpsto156.png "" 657 "height=" 407 "/>

5. Restart IIS and use the command iisreset. It is a good idea to restart the services IIS Admin service.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F9/ Wkiom1cy9rxwrdv5aankbjrgvdc477.png "" 667 "height=" 347 "/>

6. Next, configure the phone. (Before this, you need to build a Certificate Server, issue user certificate templates, etc.)

Open the internal CA server address on your phone and select "Request a certificate"

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F9/ Wkiom1cy9rawhirwaacu15xnc84939.png "" 435 "height=" 309 "/>

Select "User Certificate"

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F9/ Wkiom1cy9rew33soaaetouyowp0509.png "" 514 "height=" 622 "/>

Using the Default User certificate template, select Submit directly. (You can also customize user certificate templates)

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F9/ Wkiom1cy9ritbebuaabx41jcxeu604.png "" 428 "height=" 197 "/>

Select "Install Certificate"

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F9/ Wkiom1cy9rmwup8waacehfqvobc597.png "" 629 "height=" 303 "/>

Enter a convenient memory name to install the certificate.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F6/wKioL1cy953wctN-AAEgMpA3F_ S839.png "" 379 "height=" 458 "/>

After the mobile Client User certificate request is complete, the next step is to start configuring the mobile client. The configuration method is consistent with the usual configuration of the phone's Exchange mailbox, which is described in more detail. Note that you will need to select the client certificate (that is, the user certificate installed above) and select Allow.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F6/wKioL1cy96GgvOpvAADtjYIm_ Zm299.png "" 324 "height=" 493 "/>

Configuration settings. Select Finish to start configuring the mailbox.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F9/ Wkiom1cy9sog31g1aaczzdouvd8300.png "" 346 "height=" 582 "/>

The mailbox configuration was successful.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F6/ Wkiol1cy96xcn84maaleay2wrq0563.png "" 329 "height=" 554 "/>

Viewing the phone's connection in the log on the server is ssl/pct, indicating that the link used is certificate validation.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/7F/F7/wKioL1cy-fSi_ Vq6aaislk2kipw249.png "" 656 "height=" 229 "/>

Configure Exchange 2013 Mobile login using certificate validation (certificate-based authentication)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.