Configure Exchange 2013 Mobile login using certificate validation (certificate-based authentication)

We all know that the mobile device connection server for an Exchange 2013 server uses SSL Basic authentication by default.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/7F/F6/wKioL1cy94nw_ T2naacmr90nrsa533.png "" 620 "height=" 384 "/>

Requirements Description:

Today, it is suggested that Exchange 2013 's mobile connection authentication method needs to be validated using a certificate. If the mobile client does not have a user certificate, the login mailbox is not run.

Advantage:

The advantage of configuring certificate validation is that a user certificate is used between the mobile client and the server to authenticate, and when the user password is changed or reset, the mail service of the mobile user is not affected, and the password is not prompted for re-entry after changing the password.

Precautions:

1. The subject name of the user certificate used by the mobile client must be the user Principal name (UPN) for that person.

2. The mobile client must trust the root certificate of the root authority of the Exchange server's certificate.

Configuration process: (For specific reference: https://blogs.technet.microsoft.com/exchange/2012/11/28/ configure-certificate-based-authentication-for-exchange-activesync/. ）

The configuration process is described below.

1. Install "IIS client certificate mapping Authentication" on the Exchange CAS server.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F9/ Wkiom1cy9qvxhqbuaagxpxevsf8055.png "" 631 "height=" 388 "/>

2. Enable the IIS server Clientcertficatemappingauth.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F6/ Wkiol1cy94yhenfwaafu62haesg278.png "" 659 "height=" 304 "/>

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/7F/F6/wKioL1cy942zc71KAAB_2y_ Zdii294.png "" 664 "height=" 208 "/>

3. Enable the Clientcertficatemappingauth of the Microsoft-server-activesync virtual directory.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F6/wKioL1cy95HBBn1FAAEVmKT_ Zcq162.png "" 666 "height=" 371 "/>

4, the configuration Microsoft-server-activesync authentication mode is "needs to provide the client certificate".

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F9/ Wkiom1cy9rotw8wraacjfchpsto156.png "" 657 "height=" 407 "/>

5. Restart IIS and use the command iisreset. It is a good idea to restart the services IIS Admin service.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F9/ Wkiom1cy9rxwrdv5aankbjrgvdc477.png "" 667 "height=" 347 "/>

6. Next, configure the phone. (Before this, you need to build a Certificate Server, issue user certificate templates, etc.)

Open the internal CA server address on your phone and select "Request a certificate"

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F9/ Wkiom1cy9rawhirwaacu15xnc84939.png "" 435 "height=" 309 "/>

Select "User Certificate"

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F9/ Wkiom1cy9rew33soaaetouyowp0509.png "" 514 "height=" 622 "/>

Using the Default User certificate template, select Submit directly. (You can also customize user certificate templates)

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F9/ Wkiom1cy9ritbebuaabx41jcxeu604.png "" 428 "height=" 197 "/>

Select "Install Certificate"

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F9/ Wkiom1cy9rmwup8waacehfqvobc597.png "" 629 "height=" 303 "/>

Enter a convenient memory name to install the certificate.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7F/F6/wKioL1cy953wctN-AAEgMpA3F_ S839.png "" 379 "height=" 458 "/>

After the mobile Client User certificate request is complete, the next step is to start configuring the mobile client. The configuration method is consistent with the usual configuration of the phone's Exchange mailbox, which is described in more detail. Note that you will need to select the client certificate (that is, the user certificate installed above) and select Allow.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7F/F6/wKioL1cy96GgvOpvAADtjYIm_ Zm299.png "" 324 "height=" 493 "/>

Configuration settings. Select Finish to start configuring the mailbox.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F9/ Wkiom1cy9sog31g1aaczzdouvd8300.png "" 346 "height=" 582 "/>

The mailbox configuration was successful.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/7F/F6/ Wkiol1cy96xcn84maaleay2wrq0563.png "" 329 "height=" 554 "/>

Viewing the phone's connection in the log on the server is ssl/pct, indicating that the link used is certificate validation.

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/7F/F7/wKioL1cy-fSi_ Vq6aaislk2kipw249.png "" 656 "height=" 229 "/>

Configure Exchange 2013 Mobile login using certificate validation (certificate-based authentication)