Certificated based authentication and ISA server

I've managed to set up Direct Push on both a PDA and Smartphone with an
Exchange Server behind an ISA Server. But only using basing authentication.
The connection is done through Sercure HTTP so the passwords are not send in
plain text.

This is not good enough. I would like to be able to identify the devices
using certificates connecting from the internet using certificates, because
otherwise it would be possible to connect to our Exchange Server if you can
guess the employee's password.

ISA Server has support for certificate based authentication, but I have the
following problems:

1) For some reason the personal certificates on the mobile devices disappear
once they have been used. So I can connect with certificate based
authentication on our ISA Server and password based authentication for
Exchange and Direct Push will only be running as long as the connection is
kept alive. If the connection goes down I have to reinstall the personal
certificate. This is not really a practical solution. And I do not undertand
why this happens. Any ideas?

2) I can only install the private certificates on the devices using the
third party p12import.exe. Does Microsoft not have solution?

Thanks in advance for any help provided.

Versions:
Windows Server 2003
ISA Server 2004
Exchange Server 2000 with SP2
Qtek 9100 aka HTC Wizard and Qtek 8310 aka HTC Tonado both with Security and
Features Pack aka AKU2.

Hi,
Exchange ActiveSync does allow the network administrator to manage the
devices that are connected to the server. You need to install Exchange
Server ActiveSync Web Administration -
http://www.microsoft.com/downloads/d...DisplayLang=en
With this utility you can remote delete all the data on the device that's
unauthorized. Also, you can then change the user's password to prevent any
future access.

Microsoft does not have a solution to installing personal certificates
PKCS12 format. That is why you have to use the 3rd party utility.

--
Chris De Herrera
http://www.pocketpcfaq.com
http://www.tabletpctalk.com
http://www.pocketpctalk.com
http://www.mobilitytalk.com

ActiveSync 4.x Troubleshooting Guide -
http://www.pocketpcfaq.com/faqs/acti...shoot-as4x.htm

"Jan Aagaard" <> wrote in message
news:F24E5991-04D0-474F-AEDB-...
> I've managed to set up Direct Push on both a PDA and Smartphone with an
> Exchange Server behind an ISA Server. But only using basing
> authentication.
> The connection is done through Sercure HTTP so the passwords are not send
> in
> plain text.
>
> This is not good enough. I would like to be able to identify the devices
> using certificates connecting from the internet using certificates,
> because
> otherwise it would be possible to connect to our Exchange Server if you
> can
> guess the employee's password.
>
> ISA Server has support for certificate based authentication, but I have
> the
> following problems:
>
> 1) For some reason the personal certificates on the mobile devices
> disappear
> once they have been used. So I can connect with certificate based
> authentication on our ISA Server and password based authentication for
> Exchange and Direct Push will only be running as long as the connection is
> kept alive. If the connection goes down I have to reinstall the personal
> certificate. This is not really a practical solution. And I do not
> undertand
> why this happens. Any ideas?
>
> 2) I can only install the private certificates on the devices using the
> third party p12import.exe. Does Microsoft not have solution?
>
> Thanks in advance for any help provided.
>
> Versions:
> Windows Server 2003
> ISA Server 2004
> Exchange Server 2000 with SP2
> Qtek 9100 aka HTC Wizard and Qtek 8310 aka HTC Tonado both with Security
> and
> Features Pack aka AKU2.