Which ActiveSync authentication method is best for your mobile device?

When securing ActiveSync mobile devices in Exchange 2007, there are several authentication methods, including basic authentication, certificate-based authentication and token-based authentication. Read about the differences of each ActiveSync authentication method to decide which is best to secure mobile devices within your organization.

There are several ways to configure Exchange Server ActiveSync authentication to secure mobile devices, including...

basic authentication, certificate-based authentication and token-based authentication. In this tip, Microsoft Exchange Server expert Brien Posey summarizes these three ActiveSync authentication methods to help you decide which is best for your Exchange 2007 environment.

ActiveSync certificate-based authentication requires a copy of the trusted root certificate for the certificate authority (CA) that issued the SSL certificate. The client access server (CAS) will then use this SSL certificate. Basic authentication also has the same requirements, as long as SSL encryption will be used.

Windows Mobile has a number of built-in trusted root certificates from various vendors. If CAS is using an SSL certificate issued by a well-known CA, it's likely that the required trusted root certificate already exists.

To check if the required root certificate is in place in Windows Mobile 6.1, click on Start and then choose Settings. This will open the mobile device's Control Panel. Go to the System tab and open the Certificates applet. The root tab lists all trusted root certificates, as shown in Figure 1.

Figure 1. In Windows Mobile 6.1, the Certificate's root tab lists all trusted certificate authorities.

If you want to use ActiveSync basic authentication with SSL encryption, you will only need a root certificate. However, for certificate-based authentication you also need a valid client certificate that has been issued to the device. This certificate should have been created specifically for authentication purposes.

More on ActiveSync:
Disable ActiveSync in bulk with Exchange Management Shell commands 

Performing a remote wipe on ActiveSync devices in Exchange Server 2007 

Analyzing Exchange ActiveSync data from .CSV report files 

Because client certificates are used in the authentication process, there are a few installation steps you must follow to ensure device security. For example, if you're using an internal Enterprise Certificate Authority, Windows-based certificate authorities contain a built-in website that clients can use to perform certificate requests.

Prior to the release of Windows Server 2008, Windows Mobile clients could log on to https://<server name>/CertSrv> and issue a certificate request. However, Windows Server 2008 certificate authorities block certificate requests from mobile devices.

Therefore, you must make a certificate request from a desktop or laptop. The issued certificate must then be manually copied to the mobile device's file system. Next, double-click on the certificate file to install it on the mobile device.

Two other requirements of certificate-based authentication include the following:

  • The computer issuing the certificate request must be a domain member.
  • The mobile device must communicate with the computer via Desktop ActiveSync 4.5 or later if Windows XP is being used, or via the Windows Vista Mobile Device Center.

ActiveSync token-based authentication

Token-based authentication is a two-factor authentication method. ActiveSync supports token-based authentication, but not out of the box. If you want to use token-based authentication on your Windows Mobile device, you must install special authentication software on the client access server. Depending on whether you're using hardware- or software-based authentication, you may have to install authentication software on the mobile device as well.

Token-based authentication combines a username and password with a user's access token. There are several different token-based authentication products on the market, but Exchange Server generally uses token software to generate a six-digit number every 60 seconds.

Each user is also issued a credit card-sized piece of hardware that generates the same six-digit number as the Exchange server. When a user logs in, he must enter his authentication credentials and this six-digit number.

Since Exchange Server ActiveSync won't work unless the user's credentials are stored in the mobile device, some token-based authentication providers offer software-based tokens for Windows Mobile devices. This software prevents an unauthorized mobile device from connecting to ActiveSync, even if the device has a valid set of authentication credentials.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip?  Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Dig Deeper on Outlook management