1,458 questions
Could be a cert trust issue:
https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue
How to Configure CBA for exchange 2019 on premise??
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 62%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEG%3C/text%3E%3C/svg%3E)
Evald Gruzdev
20
Reputation points
Good day,
I was setting up CBA for active sync and owa on exchange on premise 2019 following this guide https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-certificate-based-auth?view=exchserver-2019 on my test environment.
Everything went smoothly, but when I Check OWA or ActiveSync virtual directory to require client certificate and connect through browser and prompt to choose user certificate I get error 403 "You don't have the user rights to view this page." Without virtual directory set to requiring client certificate everything works great.
Here is log of 403 in IIS: 2025-01-15 09:15:24 ::1 GET /OWA/auth.owa &encoding=; 443 - ::1 AMProbe/Local/ClientAccess - 403 7 5 19.
For CA I am using AD CA installed on domain controller, and for certificates issuance to user I use copy of user template and autoenrollment. User certificate picture is attached.
Server certificate is generated on offline Linux server CA, and this CA is trusted on domain. I really have no idea what else to do to make CBA work, maybe somebody can give some more suggestions??? certif.PNG
Exchange | Exchange Server | Other
{count} votes
-
Evald Gruzdev 20 Reputation points
2025-01-16T17:22:41.31+00:00 Update. I increased uploadReadAheadSize value to 49152 for owa, ecp and activesync, and started getting error on browser “too many redirects, try clearing cookies”. Clearing cookies didn’t help (private windows also didn’t help), but then I installed another browser (chrome), and owa started working accepting certificates. The browser that I was experimenting with before (edge) still not working for owa, I guess something needs to be cleaned. I understand it is not specifically edge problem, but the fact that edge has cashed some data (since I did all testings on it) that doesn’t allow to connect. I was able to connect to owa with edge on another computer, which was not used before.
After I got owa to work on PC, I installed user certificate on iphone, and owa works there with certificate too (great!! one problem solved).
However, for some reason active sync still doesn’t work with certificate required on the same iphone. I assume iphone should use same certificate it uses for owa (which works), so certificate is not the problem. Without requiring client certificate it also works, so permissions shouldn’t be the problem. I’m getting error codes 403 7 64 and 403 7 5. Any more suggestions???
Sign in to comment
3 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-01-16T05:30:31.7433333+00:00 Hi @Evald Gruzdev ,
Welcome to the Microsoft Q&A platform!
Based on your description, you have completed many settings correctly, but the 403 error indicates that there may be a problem with the client certificate authentication configuration. There are several things you can check and try:
- Make sure that the client certificate is correctly mapped to the user account in Active Directory. The certificate must contain the User Principal Name (UPN) in the Subject or Subject Alternative Name field.
- Verify that all servers and devices involved in accessing OWA and ActiveSync trust the entire trust chain of the client certificate, including the root certificate and any intermediate CAs.
- Double-check the IIS settings for the OWA and ActiveSync virtual directories. Make sure SSL is enabled and that the Client Certificate Mapping authentication feature is correctly installed and configured.
- Make sure that the user account has the required permissions to access the OWA and ActiveSync virtual directories. Sometimes, certificate-based authentication may require specific permissions.
- Make sure that the client certificate is valid and has not expired. In addition, check that the certificate is correctly issued for client authentication.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
-
Evald Gruzdev 20 Reputation points
2025-01-16T13:07:12.9633333+00:00 I increased uploadReadAheadSize value to 49152 for owa, ecp and activesync, and started getting error on browser "too many redirects, try clearing cookies". Clearing cookies didn't help (private windows also didn't help), but then I installed another browser (chrome), and owa started working accepting certificates. The browser that I was experimenting with before (edge) still not working for owa, I guess something needs to be cleaned. I understand it is not specifically edge problem, but the fact that edge has cashed some data (since I did all testings on it) that doesn't allow to connect. I was able to connect to owa with edge on another computer, which was not used before.
After I got owa to work on PC, I installed user certificate on iphone, and owa works there with certificate too (great!! one problem solved).
However, for some reason active sync still doesn't work with certificate required on the same iphone. I assume iphone should use same certificate it uses for owa (which works), so certificate is not the problem. Without requiring client certificate it also works, so permissions shouldn't be the problem. I'm getting error codes 403 7 64 and 403 7 5. Any more suggestions???
Sign in to comment -
Anonymous
2025-01-20T01:41:51.45+00:00 Hi @Evald Gruzdev ,
Based on your description, you managed to get OWA to work with certificates on both the PC and iPhone. For ActiveSync issues, here are some additional suggestions that may help you resolve 403 errors:
- Make sure the client certificate is correctly mapped to the user account in Active Directory. The certificate must contain the User Principal Name (UPN) in the Subject or Subject Alternative Name field.
- Double-check the IIS settings for the ActiveSync virtual directory. Make sure SSL is enabled and that the Client Certificate Mapping authentication feature is properly installed and configured.
- Verify that the iPhone trusts the entire chain of trust for the client certificate, including the root certificate and any intermediate CAs.
- Check if there are any ActiveSync mailbox policies that may be causing this issue. Sometimes, specific policies can interfere with certificate-based authentication.
- Make sure the Autodiscover service is correctly configured and available for ActiveSync. This service helps the device locate the Exchange server and configure connection settings3.
- Since you mentioned that Edge may have cached data that caused the problem, you can try clearing the browser cache and cookies again, or resetting the Edge settings to default. Alternatively, testing with a different browser can help isolate the issue.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
-
Anonymous
2025-01-22T01:30:29.4133333+00:00 Hi @Evald Gruzdev ,
Please kindly consider this comment as a warm follow up, I want to know if your problem has been solved. If you still have any other questions, please feel free to comment here and I'm glad to provide further support.If the above info is helpful to this question, you can click "Accept Answer". Have a nice day!
Best,
Jake Zhang
-
Evald Gruzdev 20 Reputation points
2025-01-22T06:52:48.24+00:00 Hi Jake,
unfortunately problem is still there.
As I said activeSync doesn't work only when client certificate is set to be required in IIS settings, other wise it works.
Certificate and mapping has to be right, because OWA on the iPhone works correctly with certificate required.
I really have no idea where else to look at the moment.
-
Evald Gruzdev 20 Reputation points
2025-01-23T07:35:49.4766667+00:00 I think I found the problem, which was the native iPhone mail app. Once I tried some different mail apps, I found at least 3 apps that were working (like airmail).
My guess is that iPhone’s default mail app doesn’t accept servers self-signed certificate even if the certificate is trusted on a phone.
-
Anonymous
2025-01-24T01:23:45.1066667+00:00 Hi @Evald Gruzdev ,
Thanks for you response!
That makes sense! The native iPhone mail app can sometimes be more restrictive with self-signed certificates, even if they are trusted on the device. It's great that you found alternative mail apps like Airmail that work with your setup.
If you prefer using the native mail app, you might consider obtaining a certificate from a trusted Certificate Authority (CA) instead of using a self-signed certificate. This could help ensure compatibility across all apps and devices.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
-
Anonymous
2025-01-28T08:04:40.5166667+00:00 Hi @Evald Gruzdev ,
Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.
Best,
Jake Zhang
-
Evald Gruzdev 20 Reputation points
2025-01-28T11:36:36.0066667+00:00 Hi,
not really. Further examination confirmed that other apps used EWS instead of active sync, that's why they worked. When I set to require client certificate for EWS it stops working too.
Is it possible that iphone just will not trust servers self-signed certificates under any circumstances? Owa uses browser so it works.
Sign in to comment