I am not seeing any official Microsoft documentation anywhere referring to the procedure for setting up certificate based authentication for Exchange ActiveSync for Exchange 2013.  I only see references to Exchange 2010.

I also notice a link referring to troubleshooting certificate based authentication on Exchange 2013 has been removed by Microsoft:

support.microsoft.com/kb/2927355

Did they remove this feature in Exchange 2013?

Yes, it is a discontinued feature.

Refer to the link http://technet.microsoft.com/en-us/library/jj619283(v=exchg.150).aspx for all the discontinued features.  (Discontinued Features from Exchange 2010 to Exchange 2013 >  Client Access.)

The info in that link says smart card authentication for full Outlook clients, not Exchange Active Sync.  Seems like they would be more clear in their description if that was to also apply to ActiveSync.

The link refers to smartcard authentication also known as common access card (CAC).  This can be viewed synonymously as certificate based authentication here as smartcard authentication uses x.509 certificates for authentication with the difference that the certificate is on a separate physical card, not installed on the device directly.

Although the wording could be a little better, the information is referring to the support for smartcard authentication itself is no longer supported, which was also known as certificate based authentication when using clients such as Outlook 2007.  Even though ActiveSync is not explicitly indicated, the information refers to the end of support for the technology feature, not the technology feature through a specific client.

Makes no sense.

Smart card authentication (physical device plugged into a PC for authentication) is not the same thing as using a certificate en lieu of typing a user name and password on a smartphone or tablet.

That link very clearly specifies Outlook as what they are referring to. 

"Wording could be better" is really putting it mildly if they meant to include Certificate Based Authentication for Exchange ActiveSync, but are referring to it as "smartcard" authentication.

Smart card authentication (physical device plugged into a PC for authentication) is not the same thing as using a certificate en lieu of typing a user name and password on a smartphone or tablet.

Please refer to the second paragraph in this blog from the Microsoft AD Team: http://blogs.technet.com/b/ad/archive/2009/04/06/when-smartcard-logon-doesn-t.aspx

I understand that because the link for decommissioned features in Exchange 2013 does not specifically indicate certificate based authentication for ActiveSync is no longer a supported feature may leave room to assume it is still supported.  Taking into consideration that a KB article referencing certificate based authentication was removed, the closely related feature for smart card authentication is no longer supported, and there is no other documentation on configuring or using certificate based authentication in Exchange 2013, I think it can be interpreted that certificate based authentication is currently not supported.

Some others have claimed to have it working already.

http://social.technet.microsoft.com/Forums/exchange/en-US/9587fb7e-707f-4724-ac1b-b31a48980131/certificate-based-authentication-ios-initially-connects-fine-then-the-connection-to-the-server?forum=exchangesvrmobility

I'll try it in a lab to play with it.

After even more searching online, I found that apparently support for it is coming in the next update:

https://twitter.com/expta/status/450716284221526016

We will be waiting for this support before migrating from 2010 to 2013.  

It's shocking that it is taking this long to implement it and that Microsoft worded their decommissioned features page so incredibly poorly that you must parse the wording on that page and others to try to guess what they are really trying to say or not say. 

Those types of documentation pages should be worded plainly, clearly and completely so there is no room for interpretation.

It depends on what you mean by "supported". A feature might be working in most cases, but that doesn't mean MSFT support will help you if it doesn't work.

SmartCard support in Outlook has relied on explicit support from Exchange because previous Outlook/Exchange combos used MAPI as the communications protocol.

Exchange ActiveSync however has always relied on the HTTP protocol. The client certificate support for EAS has as such never been an Exchange feature per se, as it has relied on IIS and the crypto stack in the OS.

This in turn means it can be a real pain to get working as Exchange running on different versions of Windows Server can behave differently.

I used this procedure to set it up on Exchange 2010 and Server 2008 R2: http://mobilitydojo.net/2010/05/19/securing-exchange-activesync-with-client-certificates-lan-access/

Most of these settings would be present in Server 2012 (R2) as well, but I haven't updated the guide so I cannot guarantee the results.

And as you can see you can configure the setup multiple ways - use only client certs or certs + password.

How this works in CU5 that is referred to by Jeff Guillet's tweet I don't know. But I'm guessing things has to be reworked a little so the implementation can work both in on-prem Exchange environments and Office 365. (The heavy reliance on the OS setup doesn't lend itself to clouded setups.) If you can configure it all in Exchange that's a good thing of course, but there's nothing preventing you from testing it through IIS in the mean time :)

I used this procedure to set it up on Exchange 2010 and Server 2008 R2: http://mobilitydojo.net/2010/05/19/securing-exchange-activesync-with-client-certificates-lan-access/

Most of these settings would be present in Server 2012 (R2) as well, but I haven't updated the guide so I cannot guarantee the results.

So, what if I install Exchange 2013 SP1 in the lab on Server 2008 R2 instead of Server 2012 R2?  Should those instructions in your link work then since certificate based authentication for ActiveSync relies on the OS version instead of the Exchange version?

It could be worth a shot at least. (As stated I haven't tested this lately.)

Unless Exchange 2013 has taken active steps for it to not work with client certificates it would still be controlled by IIS.

Now that Certificate Based Authentication is officially supported, has Microsoft posted instructions anywhere on how to set this up for Exchange 2013?  If, so I can't find it and it now more than two months since the release of CU5.

Seems like they kind of quietly slipped this feature into CU5 without documentation about it other than saying it is available.

I can only find CBA setup information online for older versions of Exchange.

Now that Certificate Based Authentication is officially supported, has Microsoft posted instructions anywhere on how to set this up for Exchange 2013?  If, so I can't find it and it now more than two months since the release of CU5.

Seems like they kind of quietly slipped this feature into CU5 without documentation about it other than saying it is available.

I can only find CBA setup information online for older versions of Exchange.

As of December 1 2014 I cannot find any documentation nor mention of CBA for Exchange 2013.  It still isn't even acknowledged in the CU5 official documentation that support for CBA even exists (at least that I can see).

Isn't this all very bizarre after all these months?  3 more CUs are out.

What's stopping Microsoft from creating proper documentation?

It's been more than a year since this thread was started and Microsoft is already talking about the coming release of Exchange 2016.

Has Microsoft posted a guide to setting up Exchange 2013 ActiveSync certificate based authentication?

• Edited by MyGposts 4 hours 37 minutes ago