No Client Authentication Methods Available for ActiveSync
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2008-06-18
The Microsoft Exchange Server Analyzer uses the following Exchange Management Shell cmdlet to query for the value of the VirtualDirectoryName and WebsiteName properties of any target Exchange 2007 servers:
The VirtualDirectoryName parameter returns a string that defines the name of the ActiveSync virtual directory and the WebsiteName parameter returns a string that defines the name of the Exchange ActiveSync Web site.
The Exchange Server Analyzer also queries the cmdlet returns for the values of the BasicAuthEnabled and ClientCertAuth properties of the target server.
The value for the BasicAuthEnabled property is a Boolean value that represents whether or not Basic authentication is enabled on the server.
With Basic authentication, the server requests that the client submit a user name and a password. That user name and password are sent in clear text over the Internet to the server. The server verifies that the supplied user name and password are valid and then grants access to the client.
A value of $true for the BasicAuthEnabled property indicates that Basic Authentication is enabled and a value of $false indicates that Basic Authentication is not enabled.
The value for the ClientCertAuth property is a Boolean value that enables the mobile device to use a client certificate.
Certificate-based authentication uses a digital certificate to verify an identity. Certificate-based authentication provides a second set of credentials, in addition to the user name and password, which prove the identity of the user who is trying to access the mailbox resources that are stored on the Exchange 2007 server. A digital certificate consists of two components: the private key that is stored on the device and the public key that is installed on the server.
A value of Ignore for the ClientCertAuth property indicates that client certificates will not be used, a value of Accepted indicates that client certificates will be accepted, and a value of Required indicates that a client certificate is required to authenticate.
If the Exchange Server Analyzer determines that neither Basic Authentication nor Client Certificates are enabled for ActiveSync connections, the Exchange Server Analyzer displays a warning.
This warning means that client authentication to the server is not required via ActiveSync.
It is a recommended best practice that Basic Authentication, Client Certificates, or both be enabled for ActiveSync connections.
To address this warning, enable Basic Authentication, Client Certificates, or both for the ActiveSync virtual directory.
To enable Basic authentication for Exchange ActiveSync
- Follow the guidance in the core Exchange 2007 documentation, "How to Configure Basic Authentication for Exchange ActiveSync" (http://go.microsoft.com/fwlink/?LinkId=121578).
To enable Certificate-Based Authentication for Exchange ActiveSync
- Follow the guidance in the core Exchange 2007 documentation, "How to Configure Certificate-Based Authentication for Exchange ActiveSync" (http://go.microsoft.com/fwlink/?LinkId=121579).
For more information about choosing an authentication method for your Exchange ActiveSync server, see "Choosing an Authentication Method for Your Exchange ActiveSync Server" (http://go.microsoft.com/fwlink/?LinkId=121580).