Forum Discussion

Nimbostratus

Mar 16, 2017

Solved

ActiveSync Client Cert Auth - no password prompt

I've seen a few threads, tagged on to some of them, but still no real solid answers. I would like to know the recommended / best config to implement client certificate authentication for ActiveSync....

BIG-IP Access Policy Manager (APM)

security

Fred_Slater_856
Mar 17, 2017
Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/17.htmlconceptid. The proper APM profile should handle clientless mode.

Fred_Slater_856

Historic F5 Account

Mar 17, 2017

Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/17.htmlconceptid. The proper APM profile should handle clientless mode.

The-messenger

Cirrostratus

Mar 21, 2017

Thanks Fred!

I have done as you suggest. Configured second iapp with ActiveSync specific selections. Configured ClientSSL profile adding the client authentication information. prior to this I configured our AD Certificate Authority In the Access profile, I have added a client cert inspection branch before the logon page.

Airwatch sends the cert/payload, APM checks for a valid cert, sends on the next step in the policy. iOS and Android devices are checking successfully.

Works great!

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)