Citrix Endpoint Management

Configuring certificate-based authentication with EWS for Citrix Secure Mail push notifications

For Citrix Secure Mail push notifications to work, you must do the following:

  • Configure Exchange Server for certificate-based authentication. This requirement is especially necessary when Citrix Secure Hub is enrolled in Citrix Endpoint Management with certificate-based authentication.

  • Configure the Active Sync and Exchange Web Services (EWS) virtual directory on the Exchange Mail Server with certificate-based authentication.

Unless you complete these configurations, the subscription to Citrix Secure Mail push notifications fails and no badge updates occur in Citrix Secure Mail.

This article describes the steps to configure certificate-based authentication. The configurations are specifically against the EWS virtual directory on the Exchange Server.

To get started with the configuration, do the following:

  1. Log on to the server or servers where the EWS virtual directory is installed.

  2. Open the IIS Manager Console.

  3. Under the Default Web Site, click the EWS virtual directory.

    The Authentication, SSL, Configuration Editor snap-ins are on the right side of the IIS Manager Console

    IIS Manager Console

  4. Make sure that the Authentication settings for EWS are configured as shown in the following figure.

    IIS Manager Console

  5. Configure the SSL Settings for the EWS virtual directory.

    1. Select the Require SSL checkbox.

    2. Under Client Certificates, click Require. Or, if other EWS mail clients use a user name and password to authenticate to the Exchange Server, click Accept.

    IIS Manager Console

  6. Click Configuration Editor. Go to the following section in the Section drop-down list:

    • system.webServer/security/authentication/clientCertificateMappingAuthentication
  7. Set the enabled value to True.

    IIS Manager Console

  8. Click Configuration Editor. Go to the following section in the Section drop-down list:

    • system.webServer/serverRuntime
  9. Set the uploadReadAheadSize value to 10485760 (10 MB) or 20971520 (20 MB) or to a value as required by your organization.

    Important:

    If you don’t set this value correctly, certificate-based authentication while subscribing to EWS push notifications can fail with an error code of 413.

    Do not set this value to 0.

For more information, see the Microsoft article, Microsoft IIS server runtime.

IIS Manager Console

For more information about troubleshooting Citrix Secure Mail issues with iOS push notifications, see this Citrix Support Knowledge Center article.

Push notifications for Citrix Secure Mail for iOS

Configuring certificate-based authentication with EWS for Citrix Secure Mail push notifications