This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 62%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEG%3C/text%3E%3C/svg%3E)
Good day,
I was setting up CBA for active sync and owa on exchange on premise 2019 following this guide https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-certificate-based-auth?view=exchserver-2019 on my test environment.
Everything went smoothly, but when I Check OWA or ActiveSync virtual directory to require client certificate and connect through browser and prompt to choose user certificate I get error 403 "You don't have the user rights to view this page." Without virtual directory set to requiring client certificate everything works great.
Here is log of 403 in IIS: 2025-01-15 09:15:24 ::1 GET /OWA/auth.owa &encoding=; 443 - ::1 AMProbe/Local/ClientAccess - 403 7 5 19.
For CA I am using AD CA installed on domain controller, and for certificates issuance to user I use copy of user template and autoenrollment. User certificate picture is attached.
Server certificate is generated on offline Linux server CA, and this CA is trusted on domain. I really have no idea what else to do to make CBA work, maybe somebody can give some more suggestions??? certif.PNG
Could be a cert trust issue:
https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 91%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hi @Evald Gruzdev ,
Welcome to the Microsoft Q&A platform!
Based on your description, you have completed many settings correctly, but the 403 error indicates that there may be a problem with the client certificate authentication configuration. There are several things you can check and try:
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
I increased uploadReadAheadSize value to 49152 for owa, ecp and activesync, and started getting error on browser "too many redirects, try clearing cookies". Clearing cookies didn't help (private windows also didn't help), but then I installed another browser (chrome), and owa started working accepting certificates. The browser that I was experimenting with before (edge) still not working for owa, I guess something needs to be cleaned. I understand it is not specifically edge problem, but the fact that edge has cashed some data (since I did all testings on it) that doesn't allow to connect. I was able to connect to owa with edge on another computer, which was not used before.
After I got owa to work on PC, I installed user certificate on iphone, and owa works there with certificate too (great!! one problem solved).
However, for some reason active sync still doesn't work with certificate required on the same iphone. I assume iphone should use same certificate it uses for owa (which works), so certificate is not the problem. Without requiring client certificate it also works, so permissions shouldn't be the problem. I'm getting error codes 403 7 64 and 403 7 5. Any more suggestions???
Update. I increased uploadReadAheadSize value to 49152 for owa, ecp and activesync, and started getting error on browser “too many redirects, try clearing cookies”. Clearing cookies didn’t help (private windows also didn’t help), but then I installed another browser (chrome), and owa started working accepting certificates. The browser that I was experimenting with before (edge) still not working for owa, I guess something needs to be cleaned. I understand it is not specifically edge problem, but the fact that edge has cashed some data (since I did all testings on it) that doesn’t allow to connect. I was able to connect to owa with edge on another computer, which was not used before.
After I got owa to work on PC, I installed user certificate on iphone, and owa works there with certificate too (great!! one problem solved).
However, for some reason active sync still doesn’t work with certificate required on the same iphone. I assume iphone should use same certificate it uses for owa (which works), so certificate is not the problem. Without requiring client certificate it also works, so permissions shouldn’t be the problem. I’m getting error codes 403 7 64 and 403 7 5. Any more suggestions???
Hi @Evald Gruzdev ,
Based on your description, you managed to get OWA to work with certificates on both the PC and iPhone. For ActiveSync issues, here are some additional suggestions that may help you resolve 403 errors:
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
Hi @Evald Gruzdev ,
Please kindly consider this comment as a warm follow up, I want to know if your problem has been solved. If you still have any other questions, please feel free to comment here and I'm glad to provide further support.If the above info is helpful to this question, you can click "Accept Answer". Have a nice day!
Best,
Jake Zhang
Hi Jake,
unfortunately problem is still there.
As I said activeSync doesn't work only when client certificate is set to be required in IIS settings, other wise it works.
Certificate and mapping has to be right, because OWA on the iPhone works correctly with certificate required.
I really have no idea where else to look at the moment.
I think I found the problem, which was the native iPhone mail app. Once I tried some different mail apps, I found at least 3 apps that were working (like airmail).
My guess is that iPhone’s default mail app doesn’t accept servers self-signed certificate even if the certificate is trusted on a phone.
Hi @Evald Gruzdev ,
Thanks for you response!
That makes sense! The native iPhone mail app can sometimes be more restrictive with self-signed certificates, even if they are trusted on the device. It's great that you found alternative mail apps like Airmail that work with your setup.
If you prefer using the native mail app, you might consider obtaining a certificate from a trusted Certificate Authority (CA) instead of using a self-signed certificate. This could help ensure compatibility across all apps and devices.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang