I am stil in the process of putting up a new environment at work. Every few days we continue testing various functions. Today we tried to resync the test-droid with exchange (i changed all ip addresses and went on vacation but didn’t fix the test-wlan settings so the device was not usable at all) but there goes nothing.
I rechecked all settings on exchange and iis, reenabled, disabled, removed and readded every step from the various tutorials from the web. Nada. Nothing. Neither Chrome nor IE nor Android nor the MobilityDojo-Tester were able to use client certificates for IIS web page authentication.
I rechecked the trust chains and CertificateAuthority – Everything was OK. Then i tried to get more information out of the IIS log. It told me either:
2013-08-20 12:24:03 x.x.x.x OPTIONS /Microsoft-Server-ActiveSync/default.eas – 443 – x.x.x.x – – 403 7 5 15
2013-08-20 12:26:58 x.x.x.x OPTIONS /Microsoft-Server-ActiveSync/default.eas – 443 – x.x.x.x – – 403 16 2148204809 15
Et voilá, GIYF: http://support.microsoft.com/kb/2802568
As it turned out prior to my vacation i reimported some GPOs from our production environment. For some reason back when the CA was implemented i imported the Intermediate-Certificates to the Root-Store.
I removed the offending Intermediate-Certs and rebooted the exchange server (just to be sure ;)) and everything went back to work.
So thanks MS. By not fixing SChannel.dll, you made this bug possible!
PS: Because Microsofts Connectivity Analzyer is pretty anal about the SSL certificate having the correct hostname (for some reason it does not check the SAN) i highly recommend EAS – MD from http://mobilitydojo.net/downloads/, it also allows testing ActiveSync with a user certificate.