Configuring Exchange 2003 ActiveSync using a self-signed SSL certificate
If you are unwiling to fork out for a 'root-trusted' certificate from the likes of Thawte or VeriSign, and don't mind the inconvenience of manually installing client certificates onto your devices, then Exchange ActiveSync can be configured to use a self-issued certificate. The procedure is as follows.
NOTE - not all of these steps may be required on your Exchange installation, but this article was written using a clean install of Exchange 2003 and all steps were required to successfully synchronise from a WIndows Mobile 6.0 device.
Install Microsoft Certificate Services
If it isn’t installed already, install Microsoft Certificate Services via the Add/Remove Windows Components applet within the Control Panel on a server on the local network. Set the server as an Enterprise CA.
Request and Install a certificate for the Exchange server from the CA
Once installed, open a web browser on the Exchange Server and browse to http://(servername)/certsrv (where (servername) is the name of the server that has certificate services installed on it. The following window will be displayed:
Click on the option to Request a certificate, the following window will be displayed:
Click on the option to request a User Certificate. The following window will be displayed:
Click Submit. You will be prompted to confirm the action:
Click Yes. The following window will be displayed:
Click on the option to Install this certificate. Again, you will be prompted to confirm the action:
Click Yes. The certificate will now be installed on the server.
Configure IIS
Next IIS must be configured to use the certificate. Launch the IIS Manager. Right click on the Default Web Site and select Properties. Click on the Directory Security tab.
In the Secure Communications section, click on the Server Certificate button. The Server Certificate wizard will be displayed:
Click Next. The following window will be displayed:
Select the option to Assign an existing certificate and click Next. A list of available certificates will be displayed:
Select the certificate issued to the Exchange server and click Next. The following window will be displayed:
Select 443 as the SSL port to use. Click Next. Click Next again and then Finish. Back within the Directory Security tab, now click on the Edit button:
Tick the option to Require secure channel (SSL) and Require 128-bit encryption. Click OK.
Click on the Edit button in the Authentication and Access Control section:
Ensure that the option to use Integrated Windows authentication is ticked.
Click OK and then OK again to confirm the changes. Back within the IIS Manager, right click on the Exchange folder and select All Tasks → Save Configuration to a file:
Enter a name for the file, such as ‘ExchangeVDir’ and click OK:
IMPORTANT - if you have Forms-Based Authentication enabled on your OWA web site, you may need to disable it temporarily before exporting the configuration of the default web site. Read the Addendum section at the end of this article for more information.
Now right click on the Default Web Site folder and select New → Virtual Directory from File:
Click on the option to Browse, then select the ExchangeVDir.xml file you just created.
Click on Read File.
Select Exchange as the Location and click OK:
You will receive a warning that the name already exists, select the option to enter a new Alias and name it ‘Exchange-OMA’:
Click OK.
The new Exchange-OMA folder will now be listed. Right click on it and select Properties.
Click on the Directory Security tab. Within the Authentication and Access Control section click the Edit button. Ensure that only the following options are enabled:
Click OK. In the IP address and domain name restrictions section, click the Edit button:
Select the option to Deny access to all computers, then Add the IP address of the Exchange server. Click OK.
In the Secure Communications section, click the Edit button. Untick the option to require SSL:
Click OK and then OK again. Close the IIS Manager.
Edit the Registry
Now open Registry Editor on the Exchange Server. Browse to the following folder:
HKEY_Local_Machine\System\CurrentControlSet\Services\MasSync\Parameters
In the right hand pane, right click and select New → String Value. Enter a name of ExchangeVDir for the new string. Double click the entry to edit it:
In the Value data field, enter the name of the Virtual Directory you created earlier. Click OK.
Close Registry Editor.
Restart IIS
Open the Services snap-in and restart the IIS Admin service on the Exchange server. Select Yes to also restart all dependent services.
Once IIS has been restarted, close the Services snap-in.
Export the root certificate
On the Certificate Authority that issued the certificate to the Exchange server, open the Control Panel and double click Internet Options. NOTE - this guide assumes that you are using a Microsoft CA.
Click on the Content tab and then on the Certificates button. Click on the Trusted Root Certification Authorities tab:
Locate the trusted root certificate for your domain. It is vital that the certificate be trusted rather than be listed under any other tab. Select the certificate and click on the Export button.
The Export Certificate Wizard will be displayed, click Next:
Select the option to export the certificate in DER encoded binary X.509 (.CER) format and click Next.
Enter a name for the certificate and specify where you would like the file saved. Click Next, Finish and then OK.
Install the root certificate onto the client device
Now locate the .cer file created and copy it to your PDA via Microsoft ActiveSync to any folder on the device (for a Windows Mobile device), or using the appropriate synchronisation software for your device. Alternatively the file could also be saved to a memory card or transferred via Bluetooth.
On the PDA, open File Explorer and browse to the folder where you saved the certificate. Tap on the icon for the certificate and tap Yes to install it when prompted.
On a Windows Mobile device, tap on Start → Settings → System → Certificates → Root and verify that the certificate is listed.
You are now ready to use Server ActiveSync securely, using your own SSL certificate.
Addendum
If you use forms-based authentication on the OWA web site, it may be necessary to disable this feature before you export the IIS virtual directory to a file, then create the new virtual directory.
Once this has been done you can then re-enable forms-based authentication.
Having forms-based authentication enabled can cause the Windows Mobile client to fail to authenticate - you will be constantly prompted to enter your password despite the details being correct. Having it disabled on the specific virtual directory resolves the problem, but if it is enabled when you export the default configuration, that will be carried over to the new virtual directory you create.
Forms based authentication is enabled and disabled within the Exchange System Manager rather than within IIS. Browse to the Exchange Server --> Protocols --> HTTP and open the properties of the virtual Exchange HTTP Server:
For detailed troubleshooting steps on how to resolve Exchange ActiveSync issues, read this article - http://blog.brightpointuk.co.uk/troubleshooting-exchange-activesync