1

I'm trying to publish Exchange 2003 activesync on a Server2K3 box, through TMG 2010 on a 2008R2 box, using client certificate on Android mobiles.

From what I can tell, the issue is with TMG, as when I connect directly to the mail server everything works fine. When going through TMG, I can see the attempt in the EAS logs and the server returns 403.7 - Forbidden, client certificate required.

Now, I have set up the web listener to require client certificates, I have told the publishing rule to use Kerberos Constrained Delegation and I have configured the TMG box in Active Directory for delegation with the following SPNs:

http/{mail server internal FQDN}
w3svc/{mail server internal FQDN}

I have followed the steps in these two walkthroughs:
http://www.isaserver.org/tutorials/publish-microsoft-exchange-active-sync-eas-isa-server-2006-part1.html
http://www.isaserver.org/tutorials/Publish-Microsoft-Exchange-Active-Sync-EAS-ISA-Server-2006-Part2.html

Yet despite everything I am still getting 403.7 back from the Exchange server. I suspect the issue is either with the TMG server getting a ticket from our DC, or with the TMG providing the ticket to the mailserver.

Any suggestions would be most welcome!

Thanks in advance.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
Tony Blunt
  • 167
  • 4
  • 14

1 Answers1

1

Grab a network trace from the inside of the TMG box while you're authenticating from a client; that'll show you the ticketing exchange with the DC. (assuming the logs don't have a particular error).

Though 403.7 roughly translates to Client Certificate Required. If this is the error you're seeing in the W3 logs on the web server, you need to disable Client Certificate authentication there; TMG can only do Kerberos, so Client Cert Auth isn't on the cards any more.

This would also explain why it still works internally with no changes.

Edit - about the best link for setting up ActiveSync with Client Certificate Authentication that I've seen is in the ISA 2006 Deployment guidance on Technet: http://technet.microsoft.com/en-us/library/bb794751.aspx#AppendixC

Edit 2 - to make it explicit, the above Part 1 article is wrong, in that doesn't address ISA/TMG performing client certificate auth; only doing it directly at the Exchange box.

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • Tristan, thanks for the reply. So basically the walkthrough I linked is wrong, since it says to 'Require Client Certificates' in IIS on the Exchange box? As soon as I change to ignore/accept certificates it works fine. Now you say it, it seems obvious, since it would make sense that it's not possible for a server to pass a client cert on to another. Can I just clarify - client certs *replace* the need for username/password on a device, right? Is there any way to require both? Thanks in advance... – Tony Blunt Nov 04 '11 at 10:42
  • Hi Tony - sorry, I'm not what I'd call an expert at this, I just dabble occasionally, so I don't know; thinking about it: Without using a completely external form of authentication, the certificat is used to provide a Windows credential via AD lookup. Unless there's the possibility of authenticating (cert style) as one user, and then providing HTTP auth as another, I don't think an additional password prompt can be achieved. Happy to be proven wrong :) – TristanK Nov 04 '11 at 10:54
  • And yep, the article covers how to do it on a local box, and neglects the ISA Server compatibility bit. I'm sure I've seen a document that explains it end-to-end before, but can't find it now. – TristanK Nov 04 '11 at 11:01
  • Tristan, thanks. You've help clear things up for me. That incorrect walkthrough has had me running round in circles for days! Thanks for the link too, very helpful :) – Tony Blunt Nov 04 '11 at 12:14