Configure Exchange Certificate Based Authentication for Exchange ActiveSync

Scenario:  You want to enable Certificate Based Authentication for Exchange ActiveSync. TMG is already setup and configured to accept/process he CBA ActiveSync request. Now we need to configure Exchange so it can successfully acept the hand off from TMG.

Our Environment: 

Exchange: Exchange 2013 SP1
Server:  Windows Server 2012
MDM:  Airwatch (Needed to push out the Certificates)

We currently have and will keep servers that will process activesync via Basic Authentication with the server name: We have separate servers will process activesync via CBA with the servername:

Configuration Steps:

Exchange Certificate:
1. Add the new external and internal server names that will be used to point activesync devices to EAS CBA as an subject alternate name to the existing server. Currently you may use as the server name for Exchange ActiveSync that processes Basic Authentication.  You will need a separate server name, such as, that will be used to allow the TMG accept and pass this traffic to the new servers.  Also you need to include the internal server name as an subject alternative name.

2. Import the Exchange certificate in Exchange and apply the IIS service to it.

Add Roles to Server:
3. Install the Client Certificate Mapping Authentication Role. In PowerShell run:
Import-Module ServerManager

Add-WindowsFeature Web-Client-Auth

ActiveSync Virtual Directory:
4. Remove Basic Authentication and Select Accept Client Certificate.
    a. Open Exchange EAC.
    b. Navigate to Servers-->Virtual Directories
    c. Open the ActiveSync Virtual Directory on the server you wish to enable Certificate Based Authentication.
    d. Uncheck Basic Authentication and mark Accept Client Certificates.

5. Add the Internal and External URLs accordingly, example: internalurl/externalurl:  (Note: Becareful of AutoDiscover. If you have the option of not including this server for Autodiscover lookups for ActiveSync, mobile devices should not receive these server settings when they want to authenticate via Basic.  Else, you could set the internalurl/externalurl on the CBA virtual directories to the same urls as the ones accepting basic auth.)

IIS Manager:
5. Enable Active Directory Client Certificate Authentication on the Server.
    a. Open IIS Manager.
    b. Click on the Server Name.
    c. Click on Authentication
    d. Enable Active Directory Client Certificate Authentication
    e. Restart IIS Admin Service in Services console.

6. Enable Client Certificate Mapping Authentication on the ActiveSync Virtual Directory.
    a. From an elevated command prompt, navigate to C:\windows\system32\inetsrv.
    b. Enter in the following:

APPCMD.EXE set config "Default Web Site/Microsoft-Se
rver-ActiveSync" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost

7. Change the UploadReadAheadSize from its default value (0) to the max size you wish to send from a activesync device. For example, if your sending limits is 35MB, the value will be 36700160.
    a. Open IIS Manager.
    b. Navigate to the Microsoft-Server-ActiveSync virtual directory.
    c. Click on Configuration Editor.
    d. Navigate to system.webserver/serverRuntime.
    e. Edit the Value of uploadReadAheadSize to 36700160 and apply it.

8.  Enable Windows Authentication on the Microsoft-Server-ActiveSync virtual Directory. (this is for TMG)
    a. Open IIS Manager.
    b. Navigate to the Microsoft-Server-ActiveSync virtual directory.
    c. Click on Authentication.
    d. Enable Windows Authentication.

9.  Restart World Wide Web services from the services console.