What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

Similar Messages

• Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

  Hi,
  I have set-up with below devices :
  Wireless LAN controller 5508
  LAP 3302i
  and ACS 5.1
  since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
  which EAP method to use for wireless client authentication ? what is the best practice ?
  I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
  I have no clear picture for this certificate ?
  from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
  I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
  I need GUI based initial configuration for ACS 5.1
  This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  Hi,
  which EAP method to use for wireless client authentication ? what is the best practice ?
  -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
  I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
  -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
  If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
  If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
  I have no clear picture for this certificate ?
  from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
  -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
  Please feel free to follow this step-by-step guide on
  PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
  http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Certificate based authentication for Exchange ActiveSync in Windows 8.* Mail app

  I have a Surface Pro and want to setup access to my company's Exchange server that accepts only Exchange ActiveSync certificate-based authentication.
  I've installed server certificates to trusted pool and my certificate as personal.
  Then I can connect thru Internet Explorer, but this is not comfortable to use.
  I don't have a password because of security politics of our company. When I'm setting up this account on my Android phone I'm using any digit for password and it works perfectly.
  Can someone help to setup Windows 8 metro-style Mail application? Does it supports this type of auth? When I'm trying to add account with type Outlook, entering server name, domain name, username, 1 as a password then I've got a message like "Can't
  connect. Check your settings."
  Is there any plans to implement this feature?

  For what it's worth we have CBA working with Windows 8.1 Pro.  In our case we have a MobileIron Sentry server acting as an ActiveSync reverse-proxy, so it verifies the client cert then uses Kerberos Constrained Delegation back to the Exchange CAS, however
  it should work exactly the same to the Exchange server directly.  I just used the CA to issue a User Certificate, exported the cert, private key and root CA cert, copied to the WinPro8.1 device and into the Personal Store.  Configured the Mail app
  to point at the ActiveSync gateway, Mail asked if I would like to allow it access the certificate (it chose it automatically) and mail synced down immediately...
  So it definitely works with Windows Pro 8.1.

• The latest version of Reader Mobile iOS (11.6) support certificate-based authentication (for LiveCycle RightsManagement server)?

  The previous release (10.1)  say: "Support for our other LiveCycle authentication types may appear in future releases, including Kerberos, Smartcard/PKI certificate-based authentication, SAML-based authentication, or other SSO mechanisms."
  Now in 11.6 certificate-based authentication is enabled?
  Thanks

  Apparently, security programs like Macafee and Norton view Itunes updates as new programs and block then from access. If you add Itunes to the list of exemptions, it solves the problem.

• Web based authentication for wired client, Crendentials submission failure.

  Hi,
  I am trying to set up the functionnality "cisco web based authentication" for the wired clients.
  The problem i encountered is that my switch doesnt forward the client's password to the ACS.
  When the user validate his credentials on the login page only the login seems to be forwarded.
  The result of the command "show ip admission cache" always show the client in the init state.(i use the default cisco web login page).
  the connection between aaa servers and the switch is working.
  You will find in attachements the running-config and the debug file.
  Thanks for your help, any ideas are welcome :) (its t os version c3750e-ipbasek9-mz.150-2.SE7).

  Well i took a look on your documents but i didnt find anything that helped me ;S.
  I'm still stucked on the same step.

• IOS 6.0.1 - Problems with certificate based authentication on wireless access point

  Hi all
  We are using iPad 2 as order terminals in our shops for about 5 months. Some of the iPads (the first who entered the field) started to cause problems now. These iPads are no longer able to keep long-term connection to the wireless access point in our stores. After selecting the SSID a successful authentication using the stored EAP-TLS certificate is performed (this can be seen in the log files of our wireless controller and by the IP adress that is given by DHCP). But within seconds the affected iPads opening up a captive portal page (empty, without contents) and separates the connection to the SSID after a short time again.
  Affected are currently only iPads 2 with iOS 6.0.1, which were staged about 5 months ago. The newer devices with iOS 6.1+ connect without problems and open no captive portal page. The first cases occurred on the last Wednesday. Before that everything worked without difficulty. No modifications took place on the security structure.  The numbers of affected devices increased until all iOS 6.0.1 were affected.
  Access to other SSIDs (without use of certificates, by entering a key) for the devices is still possible (the devices does not open an captive portal page). The DHCP scope is not used up, so there are enough IP addresses available.
  "Newer iPads" with an iOS of 6.1+ are are showing no problems on the same wireless access point, where the older devices are rejected. New and old devices use the same certificates and authentication mechanisms.
  In the analysis of the issue, it turned out that  the problem can be solved by an update to iOS 6.1.3. Subsequently, the iPads will be able to rebuild a connection with the access point, without a captive portal page.
  Since the bandwidth is very narrow dimensioned in our stores, the communication of the iPads was severely restricted. Thus, the iPads are for exampleare accessible for the APNS but can not find iOS updates or check for their availability.
  A comprehensive update to iOS 6.1.3 is currently excluded.
  Does anyone knows this issue? What else can be done (except from updating)?

  I will answer my own question in case it helps anyone else.
  It would "seem" the ios 6 devices try the proxy and if that is not working they resort to the def gateway.
  To Fix I did the following:
  Brocade WIFI network has IPS and Advanced Firewall rules that seemed to be tthwarting some traffic, the iphones would then try the default gateway and be blocked at the FW. 
  I disabled the IPS and the Advanced Firewall Settings on the wifi as they are redundant to our main IPS and firewall that all traffic flows through anyway.  I will tune it later, but when the CEO is demanding a fix "**** the security, full speed ahead"
  Created some rues on the firewall to allow...
  - IMAP-SSL (port993) outbound
  - SMTPS (port 465) to yahoo servers outbound
  - tcp port 587 to yahoo servers outbound
  - https to akamai servers
  Most http and https goes through the proxy as it should, BUT...
  It seems that the akamai traffic allways ignores the wifi proxy settings and just heads straight for the default gateway.  I suspect there is a bug in the icloud app? 
  Hope this helps someone else.
  -Bo

• Cisco ISE 1.3 using 802.1x Authentication for wireless clients

  Hi,
  I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
  I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
  MACHINE AUTHENTICATION
  match
  framed
  Wireless
  AD group (machine)
  USER AUTHENTICATION
  match
  framed
  Wireless
  AD group (USER)
  was authenticated = true
  Below are steps taken to authenticate any ideas would be great.
  11001  Received RADIUS Access-Request  
    11017  RADIUS created a new session  
    15049  Evaluating Policy Group  
    15008  Evaluating Service Selection Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    15048  Queried PIP  
    15006  Matched Default Rule  
    11507  Extracted EAP-Response/Identity  
    12300  Prepared EAP-Request proposing PEAP with challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
    12318  Successfully negotiated PEAP version 0  
    12800  Extracted first TLS record; TLS handshake started  
    12805  Extracted TLS ClientHello message  
    12806  Prepared TLS ServerHello message  
    12807  Prepared TLS Certificate message  
    12810  Prepared TLS ServerDone message  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12318  Successfully negotiated PEAP version 0  
    12812  Extracted TLS ClientKeyExchange message  
    12804  Extracted TLS Finished message  
    12801  Prepared TLS ChangeCipherSpec message  
    12802  Prepared TLS Finished message  
    12816  TLS handshake succeeded  
    12310  PEAP full handshake finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12313  PEAP inner method started  
    11521  Prepared EAP-Request/Identity for inner EAP method  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11522  Extracted EAP-Response/Identity for inner EAP method  
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
    15041  Evaluating Identity Policy  
    15006  Matched Default Rule  
    22072  Selected identity source sequence  
    15013  Selected Identity Source - AD1  
    24430  Authenticating user against Active Directory  
    24325  Resolving identity  
    24313  Search for matching accounts at join point  
    24315  Single matching account found in domain  
    24323  Identity resolution detected single matching account  
    24343  RPC Logon request succeeded  
    24402  User authentication against Active Directory succeeded  
    22037  Authentication Passed  
    11824  EAP-MSCHAP authentication attempt passed  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
    11814  Inner EAP-MSCHAP authentication succeeded  
    11519  Prepared EAP-Success for inner EAP method  
    12314  PEAP inner method finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    24423  ISE has not been able to confirm previous successful machine authentication  
    15036  Evaluating Authorization Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    24432  Looking up user in Active Directory - xxx\zzz Support  
    24355  LDAP fetch succeeded  
    24416  User's Groups retrieval from Active Directory succeeded  
    15048  Queried PIP  
    15048  Queried PIP  
    15004  Matched rule - Default  
    15016  Selected Authorization Profile - DenyAccess  
    15039  Rejected per authorization profile  
    12306  PEAP authentication succeeded  
    11503  Prepared EAP-Success  
    11003  Returned RADIUS Access-Reject  
    5434  Endpoint conducted several failed authentications of the same scenario  

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Certificate based authentication for mobile

  We are looking at deploying mobile applications to our mobile BYOD estate. One of the ideas we're looking at is using user certificates pushed to the devices as a form of authentication in addition to the PIN the users will need to enter. The certificates
  would be pushed to the devices when they enroll.
  We can spin up a Windows 2008 Server PKI to generate the certs. The idea is:
  i. User downloads an app from our corporate app store
  ii. As part of the enrollment process, they will contact a server named MobileAppSvr1 that will request a certificate on their behalf from the internal PKI.
  iii. The certificate will be created which binds the public key to the username
  iv. The certificate is pushed to the device via MobileAppSvr1
  v. Whenever the user wishes to launch the app again, then they are requested to enter a password and MobileAppSvr1 would also check the cert hasn't been revoked for that user.
  Some questions:
  a) I understand the certificate is digitally signed by our CA. Does this mean the user's device has to trust the CA or MobileAppSvr1?
  b) Where does the Private Key come into play here? Does any decryption need to be done at all?
  c) Do we need any s/w on the mobile device to decrypt anything?
  d) Would the above solution (steps i to v) work theoretically?

  Hi,
  I apologize for my mistakes in the previous reply.
  When Certificate Services work in conjunction with
  CryptoAPI, after a client generated a request for a new certificate, the request is first sent from the requesting program to CryptoAPI.
  Then, CryptoAPI provides the proper data to a
  cryptographic service provider (CSP) that is installed on your computer or on a device that is accessible to your computer.
  After that, the CSP
  will generate a key pair. The public key is sent to the certification authority (CA), along with the certificate-requester information, while the private key is stored in the requester’s protected certificate store
  (no sending), and CryptoAPI will manage the private key for all cryptography operations.
  Here are some related articles below for your references:
  Microsoft CryptoAPI and Cryptographic Service Providers
  http://technet.microsoft.com/en-us/library/cc962093.aspx
  Cryptographic Service Providers
  http://technet.microsoft.com/en-us/library/cc731248.aspx
  Installing New Cryptographic Service Providers
  http://blogs.technet.com/b/industry_insiders/archive/2007/04/03/installing-new-cryptographic-service-providers.aspx
  Have a nice day!
  Amy

• What are steps to design robotic arm for inverse kinematics calculation and 3D simulation???

  I want design a 5 axis robotic arm for my college project and I wand to simulate the model before building the hardware so plz help me to design the arm in labview

  If you are familiar with the Denavit-Hartenberg convention the LabVIEW Robotics Module has functions to visualize and find numerical inverse kinematics for serial robotic arms. Be aware though that there is a visualization bug that affects prismatic joints, causing them to be treated as revolute joints. The inverse\forward kinematic solutions should be correct though.

• What are the ASC11 and hexadecimal characters for wireless passwords?

  I am trying to set up my wireless airport and have no clue what these characters are. I use a cable modem and a router for my current setup but now have an Extreme  and Express to go wireless. I remember seeing a diagram for setting up a home network but can't locate it now that I need it.
  Thanks in advance for any help.

  Are the characters numbers? Letters? OR????
  Are they to be entered in a certain order or font???

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Need Help about Certificate based Authentication

  Hi friends..
  Currently, i'm trying to develop an applet that using Certificate Based Authentication..
  i have looked at this thread : http://forums.sun.com/thread.jspa?threadID=5433603
  these is what Safarmer says about steps to generate CSR :
  0. Generate key pair on the card.
  1. Get public key from card
  2. Build CSR off card from the details you have, the CSR will not have a signature
  3. Decide on the signature you want to use (the rest assumes SHA1 with RSA Encryption)
  4. Generate a SHA1 hash of the CSR (without the signature section)
  5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  6. Send DigestInfo to the card
  7. On the card, the matching private key to encrypt the DigestInfo
  8. Return the encrypted digest info to the host
  9. Insert the response into the CSR as the signature
  Sorry, i'm a little bit confused about those steps.. (Sorry i'm pretty new in X509Certificate)..
  on step 4,
  Generate a SHA1 hash of the CSR (without the signature section)
  Does it mean we have to "build" CSR looks like :
  Data:
  Version: 0 (0x0)
  Subject: C=US, ST=California, L=West Hollywood, O=ITDivision, OU=Mysys, CN=leonardo.office/[email protected]
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (1024 bit)
  Modulus (1024 bit):
  00:be:a0:5e:35:99:1c:d3:49:ba:fb:2f:87:6f:d8:
  ed:e4:61:f2:ae:6e:87:d0:e2:c0:fd:c1:0f:ed:d7:
  84:04:b5:c5:66:cd:6b:f0:27:a2:cb:aa:3b:d7:ad:
  fa:f4:72:10:08:84:88:19:24:d0:b0:0b:a0:71:6d:
  23:5e:53:4f:1b:43:07:98:4d:d1:ea:00:d1:e2:29:
  ea:be:a9:c5:3e:78:f3:5e:30:1b:6c:98:16:60:ba:
  61:57:63:5e:6a:b5:99:17:1c:ae:a2:86:fb:5b:8b:
  24:46:59:3f:e9:84:06:e2:91:b9:2f:9f:98:04:01:
  db:38:2f:5b:1f:85:c1:20:eb
  Exponent: 65537 (0x10001)
  Attributes:
  a0:00
  on step 5, Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  How DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) looks like?
  And what is the DigestInfo Contains, and what is TAG for DigestInfo?..
  Please help me regarding this..
  Thanks in advance..
  Leonardo Carreira

  Hi,
  Leonardo Carreira wrote:
  Sorry, Encode the Public Key is handled by On Card Application or Off Card Application?..
  I think its' easier to encode the public key by Off Card app..
  Could you guide me how to achieve this?, i think Bouncy Castle can do this, but sorry, i don't know how to write code for it.. :( All you need to do is extract the modulus and exponent of the public key. These will be in a byte array (response from your card) that you can use to create a public key object in your host application. You can then use this key to create a CSR with bouncycastle.
  I have several some questions :
  1. Does Javacard provide API to deal with DER data format?JC 2.2.1 does not buy JC 2.2.2 does, however I believe this is an optional package though. You can implement this in your applet though.
  2. Regarding the Certificate Based Authentication, what stuff that need to be stored in the Applet?..
  - I think Applet must holds :
  - its Private Key,
  - its Public Key Modulus and its Public Key Exponent,
  - its Certificate,
  - Host Certificate
  i think this requires too much EEPROM to store only the key..This depends on what you mean by Certificate Based Authentication. If you want your applet to validate certificates it is sent against a certificate authority (CA) then you need the public keys for each trust point to the root CA. To use the certificate for the card, you need the certificate and corresponding private key. You would not need to use the public key on the card so this is not needed. You definitely need the private key.
  Here is a rough estimate of data storage requirements for a 2048 bit key (this is done off the top of my head so is very rough):
  ~800 bytes for your private key
  ~260 bytes per public key for PKI hierarchy (CA trust points)
  ~1 - 4KB for the certificate. This depends on the amount of data you put in your cert
  3. What is the appropriate RSA key length that appropriate, because we have to take into account that the buffer, is only 255 bytes (assume i don't use Extended Length)..You should not base your key size on your card capabilities. You can always use APDU chaining to get more data onto the card. Your certificate is guaranteed to be larger than 256 bytes anyway. You should look at the NIST recommendations for key strengths. These are documented in NIST SP 800-57 [http://csrc.nist.gov/publications/PubsSPs.html]. You need to ensure that the key is strong enough to protect the data for a long enough period. If the key is a transport key, it needs to be stronger than the key you are transporting. As you can see there are a lot of factors to consider when deciding on key size. I would suggest you use the strongest key your card supports unless performance is not acceptable. Then you would need to analyse your key requirements to ensure your key is strong enough.
  Cheers,
  Shane

• How does Certificate based authentication work?

  We are doing
  Certificate based authentication in an enterprise with android phones and exchange 2010.
  We are using activesync to talk to exchange over SSL.
  It is working.
  I am trying to document HOW it works (on a fairly high level).
  I have some information, but would like to know what happens when exchange gets the actual client auth cert from the device in the last part of the authentication process.
  Does exchange forward it  in toto to AD, since AD (and its related PKI service) created the cert?
  Thanks.
  Mac

  Hi Ainm
  Exchange ActiveSync supports several types of user authentication. By default, Exchange ActiveSync is configured to use Basic authentication. This transmits the user name and password in clear text. You can configure Exchange ActiveSync to use certificate-based
  authentication. This method uses a certificate on both the server and the device to validate the connection from the device to the server.
  There are differences between the mobile operating systems as to what format they like their certificates in, but both Windows Mobile and iPhone are happy to use pfx files whereas Android prefers it as a p12 (which can be just a renamed pfx file if you like).
  Certificate based authentication is done via kerberos and yes Exchange should perform the lookup with AD  for verifying that your certificate is good and valid.
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
  (MVP)

• OWA and ActiveSync certificate based authentication

  I have Exchange 2013 CU3 installed and want to activate the certificate based authentication for ActiveSync and OWA. But I want to have the login without certificate as well for users without a certificate.
  I already found some information how to do that on Exchange 2010 and I already did all steps to activate it.
  But at one point I cant find anything to configure in Exchange 2013. So I have activated the AD certificate based authentication in ISS and configured the OWA folder in IIS to accept client certificates. This seems to work as I get asked to use the certificate
  when I open the OWA page. But then I am landing on the OWA login page where I have to enter username and password.
  So it seems that I am missing something. In the tutorials for Exchange 2010 they activate the certificate based authentication in the Management console. But I cant find anything in ECP to activate.
  Can anyone help me?

  Hi,
  We can create an additional Web Site in IIS to configure additional OWA and ECP virtual directory for external access. And configuring the Default Web Site for internal access.
  Then we can configure internal one with Integrated Windows authentication and Basic authentication while the external one configured for forms-based authentication of Domain\user name format. For more information about
  Configuring Multiple OWA/ECP Virtual Directories, we can refer to:
  https://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
  Thanks,
  Winnie Liang
  TechNet Community Support

• SSO Certificate-based authentication problem

  Hello,
  I have successfully configured certificate-based authentication, and I am able to authenticate with a user certificate that I created with OCA which is stored in the user's profile in OID. Here lies my problem, it seems as if the authentication module (ssomappernickname) only validates against the first certificate stored in the user's profile(userCertificate attribute). This is after I add another certificate to the user's profile. Below is the problem I am describing during my tests:
  Order of certificates stored in user's profile.
  1. valid cert, invalid cert -> successful authentication
  2. invalid cert, valid cert -> unsuccessful authentication (it should STILL be successful here)
  Shouldn't the SSO authentication module search each binary certificate in the multi-value attribute for the correct certificate? Or is there some LDAP control that I need to set in order to get this problem solved? Basically, I need to be able let user's perform certificate authentication against multiple certificates in their profiles.

  For the benefit of anyone finding this, in my case this problem was resolved by reimporting my internal CA's Cert into the ASA.
  I suspect I had inadvertently imported an expired CA Cert into the ASA and this rather un-informative error 1838 is trying to tell you this.