problem: Mail for Exchange on Nokia mobile phones should authenticate using Client Certificates and username/password against Active Sync of Exchange 2003, to make sure that username/password is not enough to access corporate data.
solution
- Create client certificates for the Nokia phones. I did it using Microsoft Certificate server. To do so, go to http://ca-servername/certsrv and "Request a certificate", "User certificate" and hit the submit button (this will create a certificate and the associated private key for the authenticated user). Then hit "Install this certificate" and "yes". Now start "certmgr.msc" (Start\run) and select "Certificate/Current User". Under Personal/Certificates you should find your newly created certificate. Right-click, "All Tasks", "Export...", select "Yes, export the private key" and provide an export password (keep in mind, that you need to enter it on the Nokia phone). Store the .pfx somewhere
- Transfer the .pfx file using Nokia PC Suite to the mobile phone
- On the nokia phone go: "Menu", "Office", "File Manager" and open the just transferred .pfx file
- Enter the export password and select "Save"
- Provide a keystorage password (Schlüsselspeicher-Passwort in german). This MUST have a length of 6.
- Ok and return to the home screen
- Now go: "Menu", "System", "Settings", "General", "Security", "Certificate Management", "Personal Certificates", "Options", "Move to Phone Certificates", "Yes" and enter the keystorage password. This makes sure, the user does not have to enter the password for the private key at every sync.
- Configure Mail for Exchange as usual. You should find enough information on google/bing on this topic.
To actually authenticate Mail for Exchange/Phone using the certificate I used ISA 2004.
Create an SSL Listener and enable Authentication using Certificates. Make sure the root certificate (or the cert used for signing your client certs) is installed as "Trusted root certificates" in the "Computer Certificates". I then authenticated against Active Directory and ISA will use NTLM/Integrated Security to authenticate as the actual user against Active Sync. On the Exchange Front-End IIS on the "Microsoft-Server-ActiveSync" directory "Integrated Authentication" must be enabled. I forgot if the ISA server must be trusted for delegation for this scenario, but if you have any trouble, check the logs and google/bing for "Trusted for delegation ISA spn".
Note: this setup still requires the username and password to be correctly configured in Mail for Exchange.
you dont have any idea how much this helped .. it was impossible otherwise to get it to work on my E71. Many thanks for your help
Well actually I did get through the same steps (on a e71) and I just can’t get MfE to get connected to the Exchange server.
I get a login failure apparently (3 trials) and finally a system error.
In fact I am sure the login information is correct as I do have an other device synchronised (WM6) with the same information.
Any clue on what’s the issue here ?
P.S.: I am not the sys adm of the Exchange server and can’t get any direct access to config of the server
I got it working right with TMG2010 and Exchange 2007.
Nokia E71 with certificate for authentication. I noticed that the password that you setup in MFE is not relevant as the ISA is setup to authenticate via the certificate and afterwards it handles everything with Kerberos delegation.
The only problem left is the anoying popup message that shows up on every connection to the ISA, “User Authentication Required”. It waits for an O.K and it is realy anoying when connected always or scheduled (On manual the user initiate so it’s not a problem).
Anyone was able to get over that anoying message by any chance?
Thanks,
Scifferous.
Hi people – This helps a lot but I think I am stuck at the last step. I have imported the certificate. Howeve, we use hidden lan in our company and hence I defined an access point for that. Do you know how I can configure that access point so that Mail For Exchange can use it?
Thanks,
Amit.
I follow these steps.. and fall in the same situation.
3 messages about username and pwd, with no sucess on E71.
Using the same procedute on N900 works like a charm, to me seems there is some issue on MFE, I tried 2.7, 2.9 and 3.x.. includind the last one.
All work fine on E71 until my company decides change to cert auth.
I don’t have administrative rights to these servers.. some clue ?