We are trying out Exchange 2013 CU1 (coexistance with Exchange 2010) and have everything working except our ActiveSync services. We decided with 2013 to deploy certificate based authentication -- unfortunately there doesn't seem documentation and/or step-by-step instructions on configuring it for 2013. I tried to give 2010 instructions a go but I can't seem to successfully configure it.
A few points -
* Our Enterprise AD CA is on our DC (Windows 2008 R2)
* On our Exchange 2013 - we configured clientCertificateMappingAuthentication to be True
* On our Exchange 2013 - we configured SSL Settings to Require SSL and Require Client Certificate
* Before looking into this, we never got proxy to work for ActiveSync
* We have migrated myself onto the Exchange 2013 box as well as a newly created test user on the 2013 box.
Troubleshooting Steps Taken -
* Reinstalled the CA.
* Removed Microsoft-Server-ActiveSync and reinstalled it from the powershell
* Tried to test the cert on the computer by installing the cert on the computer and accessing https://exchange2013server/microsoft-server-activesync. We get either a 403 error or a 403.7. We even tried accessing from the DC.
* Checked inheritance of the AD user.
* Installed the certificate (with key) in the Name Mapping area of the AD User.
* Tried setting and removing the external URL.
* Checked provisioning of devices to all -- no quarantine settings.
* Looked in the Event Log on the Exchange 2013 server (security) and see the following:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0xde0
Caller Process Name: D:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
Network Information:
Workstation Name: RMDHSRV1
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: C
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
======== OR ========
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: HealthMailbox91d8e5f06f40494fadf94019e41bf070@rmh-newyork.org
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: EXCHANGE2013SERVER
Source Network Address: 127.0.0.1
Source Port: 26665
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Any pointers would be much appreciated! Thanks a bunch in advance!
EDIT: This is the article I used as a guide http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/configuring-certificate-based-authentication-exchange-2010-activesync-part1.html