Configure a single Exchange Server to host 2 Activesync virtual directories that will accept Basic and Certificate Based Authentication methods.

Goal:  Allow a user to connect to Exchange via Activesync and authenticate via Basic Authentication or Certificate Based Authentication.

You cannot enable and allow both Certificate Based Authentication and Basic Authentication methods when connecting to a single Exchange ActiveSync Virtual Directory.  Instead a second Exchange ActiveSync virtual directory needs to be created and configured to allow CBA. One EAS virtual directory will allow Basic Authentication and one EAS virtual directory will allow Certificate Based Authentication. The result is that a user can connect to EAS on a single Exchange server with either authentication method. The steps below walk you through creating this.

Our environment:

Exchange:  Exchange 2013
Server:      Windows Server 2012
MDM:       Airwatch (needed to push out certificates to mobile devices)

Create a new IIS Site to allow EAS Site Creation

1. Created a new directory C:\EAS_CBA so I could reference this in IIS for the new website that needs to be built. There can only be one EAS virtualdirectory per IIS website.

2. Created a DNS record for that points to our Exchange server.

3. Requested\Imported new cert in EAC for  This cert is an additional cert and not the same as the cert we used for our other exchange sites.

4. I had to add a second IP address to our Exchange server as I couldn’t use the existing IP address and add a second cert to it.

5. Create a new website in IIS called EAS_CBA.
a. Site Name:  EAS_CBA
b. Application Pool: DefaultAppPool
c. Phyiscal Path: C:\EAS_CBA
d. Binding:
i. Type: HTTPS
ii. IP Address:  IP Address from step 4.
iii. Hostname:
iv. Require Server Name Indication: Checked
v. SSL Certificate:
(I also added a 80 binding since there was one located in the Default Web Site)

6. Set the new website created to Require SSL in IIS
a. On the Root EAS_CBA site --> SSL Settings --> Require SSL.
b. On the EAS_CBA --> Microsoft-Server-ActiveSync --> SSL Settings --> Require SSL.

Create a new EAS Virtual Directory in Exchange

7. In Exchange PowerShell I was now able to create a new ActiveSync virtual directory that uses the new EAS_CBA website.
a. Command: New-ActiveSyncVirtualDirectory -WebSiteName "EAS_CBA" -ExternalUrl -Server servername -InternalURL

8. You can test here with the new URL to make sure it works before we turn on CBA.

Setup Certificate Based Authentication

9. Install the Role 'IIS Client Certificate Mapping Authentication' by running the following in powershell.
a. Import-Module ServerManager
b. Add-WindowsFeature Web-Client-Auth

10. Enable Certificate-based authentication in IIS on the Server level (top level).
a. Open IIS.
b. Navigate to the Server Node.
c. Select Authentication.
d. Enable Active Directory Client Certificate Authentication.

11. Enabled cba on the ActiveSync website from elevated command prompt.
a. APPCMD.EXE set config "EAS_CBA/Microsoft-Server-ActiveSync" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost

12. Unchecked Basic Authentication and marked Require client certificates on new EAS virtual Directory.
a. Open EAC and Navigate to Servers --> Virtual Directories.
b. Edit the new EAS virtual directory
c. Uncheck Basic Authentication and marked Require client certificates.

13. Enable ClientCertNegotiation on the new certificate as its disabled by default. This will force the mobile devices to renegotiate with certificate authentication up front and to avoid having to edit the UploadReadAheadSize.  From an elevated command shell run the following:
a. Copy down the results: netsh http show sslcert
b. netsh http delete sslcert
c.  netsh http add sslcert certhash=<40 character has> appid={<32 character appid with dashes>} certstorename=MY clientcertnegotiation=enable