This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Note: This case is migrated from MSDN Exchange Server Development forum. Since Exchange Server Development forum mainly discuss issues about Exchange development, and non-developer Exchange has transitioned to Microsoft Q&A for support, we migrated this non-developer question manually to continue the discussion.
Hi All,
we had working exchange 2019 installation for more than a year. Activesync configured with certificate based authentication and everything was working fine. All of the sudden yesterday all mobile devices stopped synchronizing with the server. When troubleshooting the issue we found out that activesync is working with basic authentication (login and password) but no longer working with certificates. No configuration changes was made at the moment, PKI working fine in the domain.
Today we installed new exchange 2019 server in the same domain hoping CBA will work on it, but all in vain. The server behaves exactly like the old one. When we trying to open url https://server/microsoft-server-activesync and use certificate for authentication then we get 403 error, if we use login and pass everything is ok.
CBA was setup with https://learn.microsoft.com/ru-ru/exchange/plan-and-deploy/post-installation-tasks/configure-certificate-based-auth?view=exchserver-2019, and we have the same configurations in other lorganizations where there are E2013 and E2016 - all works fine.
Please help, need new ideas.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 6%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
Hi Lou,
the issue resolved. The problem was with non-self-signed certificate being installed in Trusted Root Certification Authorities Certificate store via group policy.
https://learn.microsoft.com/en-us/troubleshoot/iis/http-403-forbidden-access-website
thank you very much for your help!
Hi Freddy,
Awesome! Very happy to know that you have solved this issue!
Regards,
Lou
Hi Freddy,
and we have the same configurations in other lorganizations where there are E2013 and E2016 - all works fine.
You mean the a same Certificate works fine on 2013/2016 but not 2019? Any different settings between these servers?
When we trying to open url https://server/microsoft-server-activesync and use certificate for authentication then we get 403 error
You can find a detailed error code in C:\inetpub\logs\LogFiles\W3SVC\XXXX.log file, search Microsoft-Server-ActiveSync and you will find the error code like:
According to your description, I think the ActiveSync is still using basic authentication, please sse this command and check the following:
Get-ActiveSyncVirtualDirectory -Server “ServerName” | FL
Part 1. These values are correct with your certificate.
Part 2. These three auth methods are disabled, and ClientCertAuth is required.
You can also take a screenshot and share with me by covering your personal information. This article Configure certificate-based authentication for Exchange ActiveSync and The HTTP status code in IIS 7.0 and later versions may help you.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Lou,
the log contains following codes:
Hi Lou,
thank you for your answer.
not the same certificates but the infrastructure configured same way.
attached the screenshot of the Get-ActiveSyncVirtualDirectory -Server “ServerName” | FL
thanks!
