You have an Exchange Server 2013 organization. You plan to deploy Exchange ActiveSync for mobile
devices. Each mobile device will be authenticated by using certificates issued by an internal
certification authority (CA). You need to configure the organization to authenticate the mobile
devices by using the certificates. Which two actions should you perform? (Each correct answer
presents part of the solution. Choose two.)
A.
From Internet Information Services (IIS) Manager on each Client Access server, configure the
Microsoft-Server-ActiveSync virtual directory to require client certificates.
B.
From Exchange Admin Center, configure the Microsoft-Server-ActiveSync virtual directory to
require client certificates.
C.
From Internet Information Services (IIS) Manager on each Client Access server, enable Active
Directory Client Certificate Authentication.
D.
From Internet Information Services (IIS) Manager on each Mailbox server, enable Active Directory
Client Certificate Authentication.
Explanation:
NOT A
Enable Active Directory Client Certificate Authentication within IIS but configure the MicrosoftServer-ActiveSync virtual directory to require client certificates is performed in Exchange Admin
Center
NOT D
IIS is configured on the Client Access Server not the Mailbox Server
B
After you’ve installed the Exchange 2013 Client Access server, there are a variety of configuration
tasks that you can perform.
Although the Client Access server in Exchange 2013 doesn’t handle processing for the client
protocols, several settings need to be applied to the Client Access server, including virtual directory
settings and certificate settings.
http://technet.microsoft.com/en-us/library/gg247612(v=exchg.150).aspxExchange Server 2013 automatically configures multiple Internet Information Services (IIS) virtual
directories during installation.
This topic contains information about the default IIS authentication settings and default Secure
Sockets Layer (SSL) settings for the Client Access and Mailbox servers.
The following table lists the default settings on a stand-alone Exchange 2013 Client Access server.
Default Client Access server IIS authentication and SSL settings
Virtual directory Authentication method SSL settings
Management method
Microsoft-Server-ActiveSync Basic authentication SSL required Requires 128-bit encryption
EAC or Shell
C
Configure certificate-based authentication for Exchange ActiveSync
http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-basedauthentication-forexchangeactivesync.aspx
Client Access Server Configuration
To configure the Client Access server to enforce certificate based authentication :
1. Verify if Certificate Mapping Authentication is installed on the server.
Right click on Computer in the start menu and choose Manage.
Expand Roles and click on Web Server (IIS)
Scroll down to the Role Services section. Under the Security section you should see Client Certificate
Mapping
Authentication installed.
If you don’t see Client Certificate Mapping Authentication installed, click add Role Services > (scroll)
Security and select Client Certificate Mapping Authentication and then click Install.
Reboot your server.
