Forum Discussion
Certificate based SSO from an iPhone for Exchange with APM
I need some help getting started. Here is my problem. When users Active Directory passwords expire, their accounts will often get locked out because their iPhone continues to access the account with the old password. I'd like to start deploying certs to my corporate iPhone users with our Boxtone MDM solution. Then I think I can use APM to authenticate the iPhone to AD and Exchange 2010 with the cert. Does thin make sense? Is there a writeup on how to build this?
- Patrick_Brown_7Nimbostratus
I'm getting back to this topic. It's become a priority to make trusted smart phones work with cert based authentication.
I have this whitepaper. Has anyone gone through this? Can you share any issues you may have had. I'm running 11.4.1 code which is newer than what this whitepaper is based on.
https://www.f5.com/pdf/white-papers/exchange-mobile-device-security-tech-brief.pdf
Thanks,
Patrick
- You don't have to implement/rollout certs just to solve this problem(actually, I don't see how this will solve the expired password issue - but here is a good writeup article on how you can leverage iRules to prevent AD account lockout - you can implement this solution on your Exchange virtual server and stop users from locking themselves out of AD. https://devcentral.f5.com/articles/create-a-user-lockout-policy-with-access-policy-manager
- Kevin_StewartEmployee
There's two important considerations when using certificates for authentication:
-
In and of itself, a certificate is a single factor of identity assertion, like a username. Exchange, SharePoint, and really anything that relies on AD, won't simply support a certificate as a way to authenticate a user, unless perhaps you terminate the client-server SSL session directly at the Exchange/SharePoint server. That's not usually an easy config, and it generally eliminates anything more functional than layer 4 load balancing. Instead, you may want to consider doing Kerberos SSO to your Exchange environment - a native and well-supported approach. Prompt the client for certificate on the client side of APM, optionally do some certificate revocation checking and other vetting, and then apply a Kerberos SSO profile that consumes the userPrincipalName from the certificate.
-
As I mentioned in the beginning, a certificate is a single factor of identity assertion. There are ways to make certificates multi-factor, like deploying them in smartcards that require a unique PIN to access, but generally speaking the "software" certificates that will be installed on the users' mobile devices will be as much tied to the device as to the user. If the device is compromised, there's really nothing to protect from rogue use of the certificate other than having it revoked (or whatever MDM controls you have in place). Considering the complexity required to compromise most modern phones though, that may be an acceptable risk (probably still better than a password).
-
- What_Lies_Bene1CirrostratusAPM isn't my thing but using certs certainly makes sense.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com