XenMobile Server

Configuring certificate-based authentication with EWS for Secure Mail push notifications

Contributed by Vijay Kumar Kunchakuri

To make sure Secure Mail push notifications work, you must configure the Exchange Server for certificate-based authentication. This is required when Secure Hub is enrolled in XenMobile with certificate-based authentication.

You need to configure the Active Sync and Exchange Web Services (EWS) virtual directory on the Exchange Mail Server with certificate-based authentication.

Unless you complete these configurations, the subscription to Secure Mail push notifications fails and no badge updates occur in Secure Mail.

This article describes the steps to configure certificate-based authentication. The configurations are specifically against the EWS virtual directory on the Exchange Server.

To get started with the configuration, do the following:

  1. Log on to the server or servers where the EWS virtual directory is installed.

  2. Open the IIS Manager Console.

  3. Under the Default Web Site, click the EWS virtual directory.

    The Authentication, SSL, Configuration Editor snap-ins are on the right side of the IIS Manager Console

    Image of IIS Manager Console

  4. Make sure that the Authentication settings for EWS are configured as shown in the following figure.

    Image of IIS Manager Console

  5. Configure the SSL Settings for the EWS virtual directory.

    1. Select the Require SSL checkbox.

    2. Under Client Certificates, click Require. You can set this option to Accept if other EWS mail clients connect with user name and password as credentials to authenticate and connect to the Exchange Server.

    Image of IIS Manager Console

  6. Click Configuration Editor. In the Section drop-down list, navigate to the following section:

    • system.webServer/security/authentication/clientCertificateMappingAuthentication
  7. Set the enabled value to True.

    Image of IIS Manager Console

  8. Click Configuration Editor. In the Section drop-down list, navigate to the following section:

    • system.webServer/serverRuntime
  9. Set the uploadReadAheadSize value to 10485760 (10 MB) or 20971520 (20 MB) or to a value as required by your organization.

    Important:

    If you don’t set this value correctly, certificate-based authentication while subscribing to EWS push notifications can fail with an error code of 413.

    Do not set this value to 0.

For more information, see the following third-party resources:

Image of IIS Manager Console

For more information about troubleshooting Secure Mail issues with iOS push notifications, see this Citrix Support Knowledge Center article.

Push notifications for Secure Mail for iOS

Configuring certificate-based authentication with EWS for Secure Mail push notifications