Archive for June, 2009

Nokia Mail for Exchange, Exchange and Client Certificates

Saturday, June 13th, 2009

problem: Mail for Exchange on Nokia mobile phones should authenticate using Client Certificates and username/password against Active Sync of Exchange 2003, to make sure that username/password is not enough to access corporate data.

solution

  1. Create client certificates for the Nokia phones. I did it using Microsoft Certificate server. To do so, go to http://ca-servername/certsrv and "Request a certificate", "User certificate" and hit the submit button (this will create a certificate and the associated private key for the authenticated user). Then hit "Install this certificate" and "yes". Now start "certmgr.msc" (Start\run) and select "Certificate/Current User". Under Personal/Certificates you should find your newly created certificate. Right-click, "All Tasks", "Export...", select "Yes, export the private key" and provide an export password (keep in mind, that you need to enter it on the Nokia phone). Store the .pfx somewhere
  2. Transfer the .pfx file using Nokia PC Suite to the mobile phone
  3. On the nokia phone go: "Menu", "Office", "File Manager" and open the just transferred .pfx file
  4. Enter the export password and select "Save"
  5. Provide a keystorage password (Schl├╝sselspeicher-Passwort in german). This MUST have a length of 6.
  6. Ok and return to the home screen
  7. Now go: "Menu", "System", "Settings", "General", "Security", "Certificate Management", "Personal Certificates", "Options", "Move to Phone Certificates", "Yes" and enter the keystorage password. This makes sure, the user does not have to enter the password for the private key at every sync.
  8. Configure Mail for Exchange as usual. You should find enough information on google/bing on this topic.

To actually authenticate Mail for Exchange/Phone using the certificate I used ISA 2004.
Create an SSL Listener and enable Authentication using Certificates. Make sure the root certificate (or the cert used for signing your client certs) is installed as "Trusted root certificates" in the "Computer Certificates". I then authenticated against Active Directory and ISA will use NTLM/Integrated Security to authenticate as the actual user against Active Sync. On the Exchange Front-End IIS on the "Microsoft-Server-ActiveSync" directory "Integrated Authentication" must be enabled. I forgot if the ISA server must be trusted for delegation for this scenario, but if you have any trouble, check the logs and google/bing for "Trusted for delegation ISA spn".

Note: this setup still requires the username and password to be correctly configured in Mail for Exchange.