Certificate based SSO from an iPhone for Exchange with APM

Question

I need some help getting started. Here is my problem. When users Active Directory passwords expire, their accounts will often get locked out because their iPhone continues to access the account with the old password. I'd like to start deploying certs to my corporate iPhone users with our Boxtone MDM solution. Then I think I can use APM to authenticate the iPhone to AD and Exchange 2010 with the cert. Does thin make sense? Is there a writeup on how to build this?

what_lies_bene1 · Answer

APM isn't my thing but using certs certainly makes sense.

kevin_stewart · Answer

There's two important considerations when using certificates for authentication:&nbsp;

In and of itself, a certificate is a single factor of identity assertion, like a username. Exchange, SharePoint, and really anything that relies on AD, won't simply support a certificate as a way to authenticate a user, unless perhaps you terminate the client-server SSL session directly at the Exchange/SharePoint server. That's not usually an easy config, and it generally eliminates anything more functional than layer 4 load balancing. Instead, you may want to consider doing Kerberos SSO to your Exchange environment - a native and well-supported approach. Prompt the client for certificate on the client side of APM, optionally do some certificate revocation checking and other vetting, and then apply a Kerberos SSO profile that consumes the userPrincipalName from the certificate.

As I mentioned in the beginning, a certificate is a single factor of identity assertion. There are ways to make certificates multi-factor, like deploying them in smartcards that require a unique PIN to access, but generally speaking the "software" certificates that will be installed on the users' mobile devices will be as much tied to the device as to the user. If the device is compromised, there's really nothing to protect from rogue use of the certificate other than having it revoked (or whatever MDM controls you have in place). Considering the complexity required to compromise most modern phones though, that may be an acceptable risk (probably still better than a password).

michael_koyfma1 · Answer

You don't have to implement/rollout certs just to solve this problem(actually, I don't see how this will solve the expired password issue - but here is a good writeup article on how you can leverage iRules to prevent AD account lockout - you can implement this solution on your Exchange virtual server and stop users from locking themselves out of AD.

https://devcentral.f5.com/articles/create-a-user-lockout-policy-with-access-policy-manager

patrick_brown_7 · Answer

I'm getting back to this topic. It's become a priority to make trusted smart phones work with cert based authentication.&nbsp;
I have this whitepaper. Has anyone gone through this? Can you share any issues you may have had. I'm running 11.4.1 code which is newer than what this whitepaper is based on.&nbsp;
https://www.f5.com/pdf/white-papers/exchange-mobile-device-security-tech-brief.pdf&nbsp;
Thanks,&nbsp;
Patrick&nbsp;

Forum Discussion

Certificate based SSO from an iPhone for Exchange with APM

4 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

Device ID not working for IOS iPhone devices

Automate Let's Encrypt Certificates on BIG-IP

My Security+ Certification Journey