Forum Discussion

Patrick_Brown_7's avatar
Patrick_Brown_7
Icon for Nimbostratus rankNimbostratus
Oct 21, 2013

Certificate based SSO from an iPhone for Exchange with APM

I need some help getting started. Here is my problem. When users Active Directory passwords expire, their accounts will often get locked out because their iPhone continues to access the account with the old password. I'd like to start deploying certs to my corporate iPhone users with our Boxtone MDM solution. Then I think I can use APM to authenticate the iPhone to AD and Exchange 2010 with the cert. Does thin make sense? Is there a writeup on how to build this?

 

  • There's two important considerations when using certificates for authentication:

     

    1. In and of itself, a certificate is a single factor of identity assertion, like a username. Exchange, SharePoint, and really anything that relies on AD, won't simply support a certificate as a way to authenticate a user, unless perhaps you terminate the client-server SSL session directly at the Exchange/SharePoint server. That's not usually an easy config, and it generally eliminates anything more functional than layer 4 load balancing. Instead, you may want to consider doing Kerberos SSO to your Exchange environment - a native and well-supported approach. Prompt the client for certificate on the client side of APM, optionally do some certificate revocation checking and other vetting, and then apply a Kerberos SSO profile that consumes the userPrincipalName from the certificate.

       

    2. As I mentioned in the beginning, a certificate is a single factor of identity assertion. There are ways to make certificates multi-factor, like deploying them in smartcards that require a unique PIN to access, but generally speaking the "software" certificates that will be installed on the users' mobile devices will be as much tied to the device as to the user. If the device is compromised, there's really nothing to protect from rogue use of the certificate other than having it revoked (or whatever MDM controls you have in place). Considering the complexity required to compromise most modern phones though, that may be an acceptable risk (probably still better than a password).

       

  • I'm getting back to this topic. It's become a priority to make trusted smart phones work with cert based authentication.

     

    I have this whitepaper. Has anyone gone through this? Can you share any issues you may have had. I'm running 11.4.1 code which is newer than what this whitepaper is based on.

     

    https://www.f5.com/pdf/white-papers/exchange-mobile-device-security-tech-brief.pdf

     

    Thanks,

     

    Patrick