Good day,
We have:
* Existing Exchange 2007 Sp3 latest Rollup on Server 2008 (With user certs for ActiveSync(External + Internal)
* Fresh Installed Exchange 2013 CU10 on Server 20012 R2 (Only Test user on other side)
* Enterprise CA on Server 2008
Problem:
A 2013 test user is able to do ActiveSync test with EAD Mobilitydojo.net tool (No cert)
Same test user is unable to authenticate with a user cert file and >User based Certificate Authentication on IIS8.5< for Acticesync
* Exchange 2013 clean and fully de-installed (No ADSI Entrys left ina yn form for that server). Could clean deinstall. All Abitary and Health/Search moved.
* Exchange 2013 clean and fully re-installed
* Did rebuild of Acticesync Virtual Directory
WORSE I GOT it running IN LAB: Same Setup in VM Lab BUT withNONE 2007 in Place and fresh installed CA seems to work.
MAY BE SOURCE BUT UNABLE TO SOLVE. If we Import the user Cert PFX from the user in the Computer/personal store of the Exchange 2013 and run the test tool direct there IT works
IF i take out the Personal Cert from STORE and Clean with (certutil -urlcache crl delete,certutil -urlcache ocsp delete ) and test again it does not work. So in that case hes not able to autheticate to the CA. But if he has it local it works.
And the Exchange Activesync MD test Tool from Mobilitydojo.net we have the cert correct with Filename and Password. H:\migration\exchange_2007_2013\eas\2007_personal.pfx
--------------------------------------------- ERROR we see there if it does not work -----
testing HTTP GET:
Response: The remote server returned an error: (403) Forbidden.
Explanation:
The server requires SSL and will not let you connect over HTTP.
(For instance trying to connect over HTTP while IIS requires SSL.)
Status: Further action required
--------------------------------------------- ERROR we see there if it does not work -----
All root / intermediate to my knowledge (only weakness PKI sometimes ;-)) ok BUT the if we import Manual and then it works worries me. For me that means something between the Exchange 2013/2012R2 and the SRV 2008 CA is not ok.
We use a SAN-With 4 names but TWO Domains. webmail.test01.com autodiscover.test01.com and webmail.test02.com (Old). Have made a self signed for Debug but was the source.
* IIS settings are complete identical and we verified them (REAL Server and LAB we build 2 times)
* Cert Authentication IIS feature installed
* The Meta ENABLE for Authentication Certs is on TRUE
Please help if you can. ;-) Any help welcome.