Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iPhone + Client Certificate + Exchange 2003 = No workie

W

Wintrmte

macrumors regular
Original poster
Aug 21, 2006
126
39
Idaho
All,

Has anyone been successful in implementing client based authentication with the iPhone and Exchange 2003 (or 2007 for that matter)?

Our current implementation requires Windows Mobile devices to obtain a client certificate on the users behalf and then upload it to the phone. Our exchange server then requires the device to present the client certificate before letting them in.

This is working on the Windows Mobile side, but is not working on the iPhone side.

I've uploaded the client certificate for our test user to my phone and the exchange server (OWA) is displaying the HTTP Error 403.7 - Forbidden: SSL client certificate is required message when I fire up the mail client (also configured to match the user@domain.com values in the client certificate).

Has anyone had any success in getting this to work, or does anyone have a contact at Apple whom we can work with to resolve this problem? Thanks!
 
I am not sure how you uploaded the certificate. I found the easiest way as the IT administrator for my company was to use the iPhone Configuration Web Utility provided by Apple (free). It allows you to set up everything and then email or export a .xml configuration file that contains the certificate.

The utility allows you to setup email (other than exchange), exchange, WAP's, VPN's, APN's and a few other items I believe as well. It also allows you to enforce password policies. Very useful. You can setup a single configuration file but this will require the end users to enter in more information. I set up a configuration file for each of the users and emailed the files. It took some time setting up the files for each specific user but in the end took less time than my having to setup each users iPhone for them.

You can find the utility here. It is a web utility so it does install on your computer and is accessed via a browser.

Hope that helps.
 
Thanks for the reply! We have been using the iPhone tool to do all our testing.

It looks like there are some inconsistencies with how the mail app actually presents the certificate to the Exchange server. Sometimes I can get it to work, sometimes I can't. I'm not giving up yet, but the lack of documentation is frustrating.
 
Update - After fighting with this thing for the past two days, I think I've come to the conclusion that I'm running into a bug with the 2.0.1 firmware. Here's why I say this:

I have imported all of the certificates for our Root CA chain, my identity certificate into my iPhone.

I'll go into the mail settings and configure exchange with our server information, etc.

I go into the mail app and try to sync my mail, it fails.

I power off the phone, then back on, and go back into Mail, where it will connect to my server and then download the mailbox heirarchy (but not the mail).

So, I am not sure what in the heck is going on here. I'm tempted to contact Apple support, but I don't think this is something tier 1 can help me with.

Anyone have any success with getting client based certificate authentication working with Exchange and the iPhone?
 
I am using 2.0.1 and I have had none of these issues. The only problem I have had is that ocassionally my wifi and push seem to not want to work together but this seems limited to one specific wap.

I am confused about what you are doing though. Are you creating a full profile using the configuration tool? When I created a profile I filled in every possible blank for the features I was configuring. So when I loaded the profile on the iPhone all a use had to do was enter passwords. From your post it is unclear how much info you are putting in the config tool.
 
I don't think the iPhone supports Exchange; it only does the broke Apple push.
 
The iPhone does support exchange (there are some limitations compared to full winmo activesync). It was one of the major additions to 2.0.
 
StoneColdSober said:
I am using 2.0.1 and I have had none of these issues. The only problem I have had is that ocassionally my wifi and push seem to not want to work together but this seems limited to one specific wap.

I am confused about what you are doing though. Are you creating a full profile using the configuration tool? When I created a profile I filled in every possible blank for the features I was configuring. So when I loaded the profile on the iPhone all a use had to do was enter passwords. From your post it is unclear how much info you are putting in the config tool.
Click to expand...

Yeah, let me explain. Our activesync implementation requires that the client (windows mobile phone in this case) contain a certificate for the user who is authenticating into Exchange.

Our ISA box will not let them through unless the phone presents this client certificate.

I can load the client certificate onto the iPhone just fine, the problem is that the iPhone doesn't present this client certificate when asked, thus it fails.

I have looked on Apple's support forums and there are several folks posting with the exact problem, so it's pretty apparent that the iPhone doesn't fully support client based certificate authentication through email.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back