For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Denham_13's avatar
Chris_Denham_13
Icon for Nimbostratus rankNimbostratus
Sep 08, 2015

Exchange 2013 ActiveSync Client Certificate Authentication

Hi DevCentraler's,

 

I've setup an Exchange CAS Virtual Server using an iApp template which is working well. (OWA, Autodiscover, ActiveSync, Outlook Anywhere, EWS, OAB)

 

We would like to start using client certificates as an alternative form of authentication for ActiveSync, and have enabled this internally (works nicely).

 

Has anyone configured this sort of deployment before? Ideally we would like to use the same VIP and be able to offer username / password authentication OR client certificate authentication.

 

I have tried configuring a client SSL profile with the appropriate chain certificate and configuring client certificates to be 'requested' but this hasn't worked.

 

Exchange is configured as follows:

 

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iApps
LTM
security

2 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Sep 09, 2015

    If you want the client cert to be presented at the CAS, I think your options are:

     

    If you have APM, you could:

     

    • Use APM on-demand cert auth, collect the domain name from the user's UPN in the cert, stuff that into a Kerberos SSO request, and auth to the CAS using KCD (the iApp does something similar when deploying APM with smart card auth for OWA).
    • Nath's avatar
      Nath
      Icon for Cirrostratus rankCirrostratus
      Mar 18, 2016
      This is my problem right now! I tried to configured chain cert and bundle cert but still no luck! Is there any way to use the ActiveSync that f5 will terminate and re-encrypt the traffic up to the CAS server?