[E2010][EWSMA][C#][Windows Server 2008 R2]: How do I authenticate with client certificates? RRS feed

  • Question

  • I am looking for a secure way to have my client application authenticate against an Exchange Server instance. I noticed the API appears to support using an X509 certificate as its credentials, however I cannot find any resources outlining the use of this class, let alone using certificates as a method of authenticating.

    The idea is that the client application logs in as a user on the server's domain and impersonates accounts of users in a specified group to access their mailboxes. Now this works just fine when I specify the username/password in code (i.e. using WebCredentials), but I don't want plaintext passwords anywhere near my code.

    Right now there are a couple of constraints I'm working with:

    • The client and server are on separate domains, with no trust between them
    • The certificate must authorize the client application to perform actions on behalf of a user in the server's domain

    I have issued certificates for client authentication from the CA on the server's domain and exported them to the client computer, but I am getting HTTP 401 errors when the API makes calls to impersonate other users. The certificate is self-signed, but while I'm developing I'm short-circuiting the certificate validation logic to ignore this. Right now I'm trying to determine if IIS client-certificate mapping is appropriate, but am struggling with the documentation.

    Does anyone know if it's possible to use certificates as credentials in the EWS API, and if so, how I can issue a certificate to accomplish this? The documentation on this seems sparse at best, so if you have any resources you can point me to it'd be much appreciated.


    Tuesday, June 30, 2015 9:00 PM