ActiveSync on some Smartphones(in this scenario Iphones) with client certificate authentication does not work, ActiveSync here is published through TMG

It appeared strange issue, when I worked on a case where out of all the users for only few Iphone users ActiveSync was not working, For other users including Iphone, windows phone and Andriod phones it was working. In this scenario client certificate authentication was implemented.

Live Logs on TMG are so Awesome that they can at times point directly to where could be the problem. In this scenario, I took live logs for users who had apple keyword in the client agent string and found following

******************************************************************************************************

Apple-iPhonexxxxx  No Reverse Proxy  x.contoso.com TCP OPTIONS Req ID: xxx  xxx xxx 443 https Failed Connection Attempt       0x80092010  anonymous   https://xx.contoso.com/Microsoft-Server-ActiveSync SAMPLESERVERTMG

******************************************************************************************************

highlighted result code 0x80092010 

A look up of this status code in Err gives following result :

----------------------------------------------

C:\Err>err 0x80092010
# for hex 0x80092010 / decimal -2146885616 :
  CRYPT_E_REVOKED                                               winerror.h
# The certificate is revoked.
# 1 matches found for "0x80092010"

----------------------------------------------

and it talks about the revoked certificate.For working Iphone users we did not have this status code in the logs.

I also took TMG data packager logs with web proxy and publishing template , more on that (https://blogs.technet.com/b/sooraj-sec/archive/2010/04/10/instructions-for-isa-data-packager-to-collect-data-in-repro-mode.aspx)

Then in the ISA Tracing logs for the problem traffic found following (more on analyzing TMG data packager logs https://blogs.technet.com/b/sooraj-sec/archive/2012/11/07/data-analysis-using-with-tmg-data-packager.aspx)

****************************************************

Info:Starting user authentication"

Info:[0x000000004A379980] Verifying SSL client certificate"

Info:URL retrieval timeout =60000"

Info:Getting certificate chain..."

Info:Certificate chain obtained"

Info:Entered: else if dwChainStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN (usually cannot get the CRL file)"

Info:Element index# 0 in chain (total of 3 elements) dwRevocationResult != NO_ERROR (0x80092013)"

Warning:[0x000000004A379980] VerifyRemoteCertificate failed, Failure = 3, hr = 0x80092010(CRYPT_E_REVOKED)"

Info:WPPISAPUBLIC:Returning error text ""The certificate is revoked. "" for error code -2146885616(CRYPT_E_REVOKED)"

ERROR:ValidateClientCertificate() failed, dwError= -2146885616(CRYPT_E_REVOKED)"

ERROR:ValidateClientCertificateAndTimestamp failed, err = -2146885616(CRYPT_E_REVOKED)"

Noise:WPPISAPUBLIC:(x.x.x.x:xxx <== x.x.x.x:xxx), 2153 bytes, ""HTTP/1.1 500"""

 ***********************************************************************

From here we can see when certificate authentication is starting it checks Certificate Revocation status and here its not able to do that as it could not get the CRL file and "VerifyRemoteCertificate" operation fails and hence certificate is considered revoked keeping the law of least privilege or access. Hence user is not able to authenticate. 

To get immediate relief to such users, I suggested a temporary diabling of CRL revocation check on TMG for client certificate(shown below). After disabling that, problem Iphone users started working fine.

 

We found following events on the CA server( in this scenario Internal root CA was used to issue the certificates.)

************************************************************************

Event Type: Error

Event Source: CertSvc

Event Category: None

Event ID: 66

Date: xx

Time: xx

User: N/A

Computer:xx

Description:

Certificate Services could not publish a Delta CRL for key x to the following location: xxxx\CertSrv\CertEnroll\xxx+.crl.  xxx

************************************************************************

which is a delta CRL and it was not available, After correcting the Delta CRL problem which was not available.( Which explains the problem we were seeing, so it was planned to correct this, either make it available(publish) or not use it any more and use the usual CRL URL  and once that's available ) Certificate Revocation check is enabled on TMG for enhanced security.