Exchange 2013 – ActiveSync user certificate authentication

I am stil in the process of putting up a new environment at work. Every few days we continue testing various functions. Today we tried to resync the test-droid with exchange (i changed all ip addresses and went on vacation but didn’t fix the test-wlan settings so the device was not usable at all) but there goes nothing.

I rechecked all settings on exchange and iis, reenabled, disabled, removed and readded every step from the various tutorials from the web. Nada. Nothing. Neither Chrome nor IE nor Android nor the MobilityDojo-Tester were able to use client certificates for IIS web page authentication.

I rechecked the trust chains and CertificateAuthority – Everything was OK. Then i tried to get more information out of the IIS log. It told me either:

2013-08-20 12:24:03 x.x.x.x OPTIONS /Microsoft-Server-ActiveSync/default.eas – 443 – x.x.x.x – – 403 7 5 15


2013-08-20 12:26:58 x.x.x.x OPTIONS /Microsoft-Server-ActiveSync/default.eas – 443 – x.x.x.x – – 403 16 2148204809 15

Et voilá, GIYF:

As it turned out prior to my vacation i reimported some GPOs from our production environment. For some reason back when the CA was implemented i imported the Intermediate-Certificates to the Root-Store.

I removed the offending Intermediate-Certs and rebooted the exchange server (just to be sure ;)) and everything went back to work.

So thanks MS. By not fixing SChannel.dll, you made this bug possible!


PS: Because Microsofts Connectivity Analzyer is pretty anal about the SSL certificate having the correct hostname (for some reason it does not check the SAN) i highly recommend EAS – MD from, it also allows testing ActiveSync with a user certificate.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s