VMware AirWatch Certificate Authenticatin fr EAS with SEG Fr VMware AirWatch Have dcumentatin feedback? Submit a Dcumentatin Feedback supprt ticket using the Supprt Wizard n supprt.air-watch.cm. This prduct is prtected by cpyright and intellectual prperty laws in the United States and ther cuntries as well as by internatinal treaties. VMware prducts are cvered by ne r mre patents listed at http://www.vmware.cm/g/patents. VMware is a registered trademark r trademark f VMware, Inc. in the United States and ther jurisdictins. All ther marks and names mentined herein may be trademarks f their respective cmpanies. 1
Table f Cntents Chapter 1: Overview 3 AirWatch Certificate Authenticatin fr EAS with SEG 4 Prerequisites, EAS with SEG 4 Cmmunicatins Flw, EAS with SEG 5 Implementatin Methdlgy, EAS with SEG 5 Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 7 Step 1: Register Target Service, EAS with SEG 8 Step 2: Cnfigure Delegatin Settings n the SEG Server, EAS with SEG 10 Step 3: Enable EAS Server t Accept Kerbers Tickets, EAS with SEG 11 Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG 12 Step 5: Cnfigure Delegatin Rights n the SEG Service Accunt, EAS with SEG 17 Chapter 3: Testing and Trubleshting 20 Trubleshting Overview, EAS with SEG 21 Additinal SETSPN Cmmands, EAS with SEG 23 Install the Rle in IIS, EAS with SEG 25 Accessing Other Dcuments 26 2
Chapter 1: Overview AirWatch Certificate Authenticatin fr EAS with SEG 4 Prerequisites, EAS with SEG 4 Cmmunicatins Flw, EAS with SEG 5 Implementatin Methdlgy, EAS with SEG 5 3
Chapter 1: Overview AirWatch Certificate Authenticatin fr EAS with SEG The Secure Email Gateway by AirWatch prvides an added layer f management visibility t mbile email and prvides enfrceable access-cntrl based n security plicies fr crpratins that are serius abut mbile email management and security. Hwever, fr maximum security and cntrl, crpratins may cuple the Secure Email Gateway with certificate-based authenticatin t their email infrastructure. In rder t accmmdate the additin f certificate-based authenticatin, Kerbers Delegatin must be utilized. This dcument discusses hw t cnfigure yur infrastructure fr Kerbers Delegatin t enable EAS certificate authenticatin with the SEG. Prerequisites, EAS with SEG Befre cnfiguring the Secure Email Gateway (SEG) t use certificate authenticatin, yu must have the fllwing. An internal certificate authrity (CA) server must be used t create user s certificates. An external CA cannt be used (e.g., VeriSign, etc.) t create user s certificates. Installed and peratinal Secure Email Gateway (SEG). Fr mre infrmatin, see the VMware AirWatch Secure Email Gateway Guide, available n Accessing Other Dcuments n page 26. Windws Server 2003 r 2008 Standard with latest service packs and recmmended updates frm Micrsft (http://www.update.micrsft.cm/). A device with an Exchange ActiveSync (EAS) prfile and certificate frm a dmain enterprise certificate authrity. A SEG that is cnfigured as a member f the same dmain as the enterprise certificate authrity. Administrative permissins t be able t cnfigure yur enterprise. Secure Email Gateway (SEG) Active Directry (AD) Exchange ActiveSync (EAS) server A certificate authrity prperly cnfigured t issue certificates thrughut AirWatch thrugh MSCEP/NDES r DCOM. A trust relatinship between the certificate authrity (CA) prviding the certificates and the directry services server. This will entail: Exprt the rt CA certificate t a.cer file. At the cmmand prmpt, type the fllwing cmmand and press ENTER: Certutil -dspublish -f <filename> NTAuthCA certutil -enterprise -addstre NTAuth CA_CertFilename.cer 4
Chapter 1: Overview Cmmunicatins Flw, EAS with SEG This diagram highlights the cmmunicatins flw fr a device attempting t cnnect t the Exchange ActiveSync (EAS) server thrugh the AirWatch Secure Email Gateway (SEG) using a certificate fr authenticatin. A detailed accunt f this interactin is shwn belw in the legend. Legend 1. The device cntacts the SEG with a certificate that cntains UPN and email in the Subject Alternative Name sectin f the cert. 2. The SEG authenticates the user with Active Directry frm the infrmatin in the cert. 3. The Active Directry server (KDC) issues a ticket t the SEG with the user's credentials. 4. The SEG sends the user's credentials t Exchange ActiveSync (EAS) with the mail request. 5. The EAS respnds t the SEG with the mail infrmatin. 6. The SEG respnds t the device with the mail infrmatin. Implementatin Methdlgy, EAS with SEG Regardless f the enterprise infrastructure being used, the implementatin methdlgy is basically the same. If yu understand the methdlgy, have the technical expertise, and have a strng understanding f the hardware and sftware required, then it is much easier t cnfigure and ensures the user has a seamless experience receiving their email. Registering Target Service Initially, yu need t identify the service fr which SEG will delegate the traffic t EAS server. This can be accmplished by creating the SPN (Service Principal Name). Permitting the SEG Server fr Kerbers Delegatin t the EAS Server By default, n infrastructure is permitted t grant access t ther servers using Kerbers delegatin. Therefre, administratrs must first cnfigure security settings n the directry server s that the SEG server can delegate access t 5
Chapter 1: Overview the EAS server using HTTP (fr EAS traffic). Specifically fr Micrsft Active Directry infrastructure, this entails: Cnfiguring AD t give permissins t SEG t impersnate a user. Enabling SEG t delegate HTTP EAS traffic t the EAS server. Enabling EAS Server t Accept Kerbers Tickets The EAS server requires Windws Authenticatin enabled in rder t analyze the Kerbers ticket received frm the SEG server. Cnfiguring the SEG Server fr Certificate Authenticatin Once the dmain security settings have been adjusted, the SEG server must be cnfigured fr certificate authenticatin. In rder fr the SEG t authenticate the user s device that is assigned t a particular certificate, Internet Infrmatin Services (IIS) n the SEG server must be cnfigured t accept that certificate. Specifically this can be accmplished by: Setting up Active Directry t Authenticate Using the Cnfiguratin Editr t Set Up Email Authenticatin Setting Up Secure Scket Layer (SSL) Adjusting upladreadaheadsize Memry Size Enabling the SEG EAS Service Accunt t Begin Kerbers Delegatin Lastly, administratrs must enable the SEG EAS Service accunt t start granting access t the EAS server thrugh user impersnatin. This effectively cmpletes the setup and users may begin authenticating with certificates t receive their crprate mail. Administratrs can cmplete this by: Verifying the identity f the SEG Cnfiguring lcal security plicy fr SEG t act as part f the perating system Cnfiguring lcal security plicy fr SEG t impersnate a client after authenticatin 6
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Step 1: Register Target Service, EAS with SEG 8 Step 2: Cnfigure Delegatin Settings n the SEG Server, EAS with SEG 10 Step 3: Enable EAS Server t Accept Kerbers Tickets, EAS with SEG 11 Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG 12 Step 5: Cnfigure Delegatin Rights n the SEG Service Accunt, EAS with SEG 17 7
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Step 1: Register Target Service, EAS with SEG In rder fr the SEG server t be able t delegate traffic t a specific service, yu need t identify and register the service. The target service must match the Exchange server Hstname n the web.cnfig file f the Web Listener flder n SEG. The SETSPN cmmand is used t register the service and this can be executed n AD server r EAS server. SETSPN -s HTTP/<target service name> <target cmputer name> If yur envirnment has multiple Client Access Servers (CAS) r multiple Exchange ActiveSync (EAS) servers, then yu must specify the dmain name with the target cmputer name. Fr example, {dmain}/{asa_accunt} r {dmain}/ {exchangebx}. An alternate service accunt needs t be created t represent the Client Access Services. Create an ASA Credential Type Yu can create a cmputer accunt r a user accunt fr the alternate service accunt. Because a cmputer accunt des nt allw interactive lgn, it may have simpler security plicies than a user accunt and therefre is the preferred slutin fr the ASA credential. If yu create a cmputer accunt, the passwrd desn't actually expire hwever AirWatch still recmmends updating the passwrd peridically. Lcal grup plicy can specify a maximum accunt age fr cmputer accunts and there might be scripts scheduled t peridically delete cmputer accunts that d nt meet current plicies. Peridically updating the passwrd fr cmputer accunts ensures that yur cmputer accunts are nt deleted fr nt meeting lcal plicy. Yur lcal security plicy determines when the passwrd needs t be changed. Credential Name There are n particular requirements fr the name f the ASA credential. Yu can use any name that cnfrms t yur naming scheme. Grups and Rles The ASA credential des nt need special security privileges. If yu are deplying a cmputer accunt fr the ASA credential, this means that the accunt nly needs t be a member f the Dmain Cmputers security grup. If yu are deplying a user accunt fr the ASA credential, this means that the accunt nly needs t be a member f the Dmain Users security grup. Passwrd The passwrd yu prvide when yu create the accunt is actually never used. Instead, the script resets the passwrd. S when yu create the accunt, yu can use any passwrd that cnfrms t yur rganizatin s passwrd requirements. All cmputers within the Client Access Services must share the same service accunt. In additin, any Client Access servers that may be called n in a datacenter activatin scenari must als share the same service accunt. 8
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 1. Create the alternate service accunt (ASA) fr the CAS in the dmain by pening the Active Directry User and Cmputers and creating new cmputer accunt. Type a name fr the ASA, using CASARRAY- ASA as example. Verify that the accunt has replicated t all Dmain Cntrllers befre prceeding. 2. Verify the CAS's FQDN, since this name is used fr the SPN that is attached t the ASA. In rder t check the CAS s FQDN, run the next cmmand in PwerShell. Get-ClientAccessArray 3. Create the SPN using the setspn cmmand. setspn -s http/<target service name> {ASA_ACCOUNT}$ 4. Verify that all relevant SPNs have been assigned by running the fllwing cmmand frm PwerShell. setspn L {ASA_ACCOUNT} 5. T set ASA t the CAS servers, run the Alternate Service Accunt credential script in the Exchange Management Shell RllAlternateserviceAccuntPasswrd.ps1.\RllAlternateserviceAccuntPasswrd.ps1 -TArrayMembers {CAS-FQDN} -GenerateNewPasswrdFr {DOMAIN}\{ASA_ACCOUNT}$ -Verbse 6. Yu can see a Success message when the script has cmpleted running. T verify that the ASA credentials have been deplyed prperly, use the fllwing cmmand. 9
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Get-ClientAccessServer -IncludeAlternateServiceAccuntCredentialStatus fl name,*alter* Next, yu must Cnfigure Delegatin Settings n the SEG Server. Step 2: Cnfigure Delegatin Settings n the SEG Server, EAS with SEG In rder fr the Secure Email Gateway (SEG) t impersnate a user when authenticating n an Exchange ActiveSync (EAS) server, the SEG server must be given the apprpriate permissins in the Active Directry (AD) server. Yu must als enable SEG t delegate HTTP EAS traffic t the EAS server. Cnfigure AD t Give Permissins t SEG t Impersnate a User 1. Select Active Directry Users and Cmputers n the AD server. 2. In the left-hand pane, select the flder where the SEG server is lcated (e.g., Cmputers). The available SEG servers display in the right-hand pane as shwn belw. 3. Right-click n the SEG server name and then select Prperties. 10
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 4. The Prperties windw fr the SEG server displays. Click n the Delegatin tab. 5. Select the Trust this cmputer fr delegatin t specified services nly. 6. Select Use any authenticatin prtcl. 7. Click Add. Enable SEG t delegate HTTP EAS traffic t the EAS server 1. Click Users r Cmputers n the Add Services windw. The Select Users r Cmputers windw displays. 2. Enter the name f the Exchange ActiveSync Server r ASA accunt (if applicable) and select OK. The Add Services windw displays. 3. Select the http service registered in step 1 under Available services and select OK. A list displaying http and yur EAS server n the Delegatin tab appears. 4. Click OK. Next, yu must Enable EAS Server t Accept Kerbers Tickets. Step 3: Enable EAS Server t Accept Kerbers Tickets, EAS with SEG Cnfigure EAS server t accept Kerbers tickets. 1. Open IIS manager n the EAS server. 2. On the left hand Cnnectins pane, expand Sites and select Micrsft-server-activesync. 11
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 3. In the main pane, under IIS, select Authenticatin and enable Windws Authenticatin. Next, yu must Cnfigure IIS fr Certificate Authenticatin n the SEG. Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG In rder fr the SEG t authenticate the user s device that is assigned t a particular certificate, Internet Infrmatin Services (IIS) n the SEG server must be cnfigured t accept that certificate. Set up Active Directry t Authenticate 1. On the SEG Server, launch Internet Infrmatin Services (IIS) by selecting Start > Run. 2. Type inetmgr and select OK. The IIS Manager windw appears. 3. In the left-hand Cnnectins pane select the SEG server 4. In the main pane, under the IIS sectin, duble-click the Authenticatin icn. 12
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 5. Select Active Directry Client Certificate Authenticatin. If this ptin is nt available, see Install the Rle in IIS in VMware AirWatch Certificate Authenticatin fr EAS with SEG available n AirWatch Resurces. 6. In the right-hand pane, select Enable. Use the Cnfiguratin Editr t Set Up Email Authenticatin 1. Click + t expand the Sites flder. 2. Click + t expand the Default Web Site and display the email sever yu want t cnfigure. a. If yu are using MS Server 2008 R2 r later, the Cnfiguratin Editr icn appears as shwn in the screen belw. This icn des nt appear in lder versins f MS Server. Select Micrsft-Server-ActiveSync and duble-click the Cnfiguratin Editr icn. If applicable, prceed directly t step 3. 13
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin b. If yu are using Exchange ActiveSync (EAS) servers lder than 2008 R2, yu will need t be familiar with the use f appcmd.exe and run it frm the cmmand prmpt. c. Open a cmmand prmpt by selecting Start > Run. In the dialg bx type cmd and select OK. In the cmmand prmpt, type the fllwing cmmand: appcmd.exe set cnfig "Micrsft-Server-ActiveSync" - sectin:system.webserver/security/authenticatin/clientcertificatemappinga uthenticatin /enabled:"true" /cmmit:apphst If yu perfrmed this step, then skip the remaining steps and advance t Setting up Secure Scket Layer (SSL). 3. Navigate t system.webserver/security/authenticatin under Sectin. 4. Select clientcertificatemappingauthenticatin. 5. Select True frm the Enabled drp-dwn menu. 14
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 6. Click Apply. Set Up Secure Scket Layer (SSL) If nly certificate authenticatin is being used then yu must cnfigure Secure Scket Layer (SSL). Otherwise, if authenticatin ther than certificates is used then yu d nt need t cnfigure SSL. 15
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 1. Select Micrsft-Server-ActiveSync, and then duble-click SSL Settings. 2. If nly certificate authenticatin is allwed, select Require SSL and then Required. If ther types f authenticatin are allwed, select Accept. 3. Click Apply. Adjust upladreadaheadsize Memry Size Since certificate based authenticatin uses a larger amunt f data during the authenticatin prcess, sme adjustments must be made in IIS cnfiguratin t accunt fr the increased amunt f data. This is accmplished by increasing the value f the upladreadaheadsize. The fllwing steps guide yu thrugh the cnfiguratin: 16
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 1. Open a cmmand prmpt by selecting Start > Run. 2. Type cmd and select OK. A text editr windw appears. 3. Increase the value f the upladreadaheadsize frm the default f 48KB t 10MB by entering the fllwing cmmands: C:\Windws\System32\inetsrv\appcmd.exe set cnfig - sectin:system.webserver/serverruntime /upladreadaheadsize:"10485760" /cmmit:apphst C:\Windws\System32\inetsrv\appcmd.exe set cnfig "Default Web Site" - sectin:system.webserver/serverruntime /upladreadaheadsize:"10485760" /cmmit:apphst Default Web Site is used in the sample cde abve. If the name f the site has been changed in IIS then the new name needs t replace Default Web Site in the secnd cmmand. 4. Type the fllwing cmmand t reset the IIS: iisreset Lastly, yu must Cnfigure Delegatin Rights n the SEG Service Accunt. Step 5: Cnfigure Delegatin Rights n the SEG Service Accunt, EAS with SEG In additin t cnfiguring delegatin rights n the SEG server, the service accunt attached t the SEG Applicatin Pl must als be given delegatin permissins. Verify the Identity f the SEG 1. Launch Internet Infrmatin Services (IIS) Manager by selecting Start > Run. In the dialg bx type inetmgr and select OK. The IIS Manager windw appears. 2. In the left-hand Cnnectins pane, select the SEG server. 3. Click the Applicatin Pls flder. 4. In the right-hand Applicatin Pls pane, lcate the SecureEmailGateway. 17
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 5. Under the Identity clumn, verify the identity f the SecureEmailGateway is Netwrk Service. Cnfigure Lcal Security Plicy fr SEG t Act as Part f the Operating System 1. On the SEG server, pen a cmmand prmpt by selecting Start > Run. 2. Type cmd and then select OK. 3. In the cmmand prmpt, type secpl.msc and then select OK. A Lcal Security Plicy windw displays. 4. In the left-hand pane, select Security Settings > Lcal Plicies > User Rights Assignments. 5. In the right-hand pane, under Plicy, select Act as part f the perating system. A dialg windw appears. 6. Click Add User r Grup. 7. Type the name f the Service Accunt attached t the Applicatin Pl. The name must be the same as the name assciated t the SEG (i.e., Netwrk Service). 8. Click OK. The Lcal Security Plicy windw displays. 18
Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Cnfigure Lcal Security Plicy fr SEG t Impersnate a Client after Authenticatin 1. In the right-hand pane, under Plicy, duble-click n Impersnate a client after authenticatin. 2. The Service Accunt attached t the Applicatin Pl must be the same as the name assciated t the SEG (i.e., Netwrk Service). Verify that name displays in the list. If nt, d the fllwing: a. Click Add User r Grup. b. Add the name f the Service Accunt. 3. Select the Service Accunt in the list (i.e., Netwrk Service). 4. Click OK. 19
Chapter 3: Testing and Trubleshting Trubleshting Overview, EAS with SEG 21 20
Chapter 3: Testing and Trubleshting Trubleshting Overview, EAS with SEG Yu can cnfirm that the SEG is perfrming certificate authenticatin by pushing a user s prfile t the device and testing whether r nt the device is able t cnnect and sync with the cnfigured SEG end-pint. If the device des nt cnnect and displays a message that the certificate cannt be authenticated r the accunt cannt cnnect t EAS, then the prblem is related t the cnfiguratin. Trubleshting Checks If Exchange server returns a 401, add NTLM and Negtiate as prviders t Windws Authenticatin. Make sure that a certificate is being issued by the CA t the device by checking the fllwing infrmatin. G t the internal CA Server, launch the certificatin authrity applicatin, and brwse t the issued certificates sectin. Find the last certificate that was issued and it shuld have a subject that matches the ne created in the certificate template sectin earlier in this dcument. If there is n certificate then there is an issue with the CA, client access server (e.g., SCEP), r with the AirWatch cnnectin t client access server. Check that the permissins f the client access server (e.g., SCEP) Admin Accunt are applied crrectly t the CA, and the template n the CA. Check that the accunt infrmatin is entered crrectly in the AirWatch cnfiguratin. Verify the Server URL and the SCEP Challenge URL cntain the crrect infrmatin and end with a /. 21
Chapter 3: Testing and Trubleshting Launch a brwser and enter the SCEP Challenge URL. The website shuld prmpt yu fr credentials. After entering the SCEP Admin Accunt username and passwrd, it shuld return with the challenge passphrase. If the certificate is being issued, make sure that it is in the Prfile Paylad and n the device. Navigate t Devices >Prfiles >List View. Click the actin icn fr the device and select </> View XML t view the prfile XML. There is certificate infrmatin that appears as a large sectin f text in the paylad. On the device, g t the prfiles list, select Details and see if the certificate is present. Cnfirm that the certificate cntains the Subject Alternative Name (r SAN) sectin and that in that sectin there is an Email and Principal name with the apprpriate data. If this sectin is nt in the certificate then either the template is incrrect f the certificate authrity has nt been cnfigured t accept SAN. Refer t Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG n page 12. Cnfirm that the certificate cntains the Client Authenticatin in the Enhanced Key Usage sectin. If this is nt present, then the template is nt cnfigured crrectly. If the certificate is n the device and cntains the crrect infrmatin, then the prblem is mst likely with the security settings n the SEG server. Cnfirm that the address f the SEG server is crrect in the AirWatch prfile and that all the security settings have been adjusted fr allwing certificate authenticatin n the SEG server. A very gd test t run is t manually cnfigure a single device t cnnect t the SEG/EAS server using certificate authenticatin. This shuld wrk utside f AirWatch and until this wrks prperly, AirWatch will nt be able t cnfigure a device t cnnect t EAS with a certificate. Refer t the External References and Dcuments sectin fr a link t a step by step guide fr cnfiguring a device t cnnect t EAS using a certificate. If nne f the steps abve reslve the prblem, try authenticating independent f AirWatch. This is dne by eliminating the AirWatch (e.g., SEG) and nly using a certificate t authenticate the device. If this desn t wrk then there are ther prblems ccurring. Until thse prblems are reslved, yu will nt be able t use the SEG t handle certificate authenticatin. If yu cannt authenticate, verify the clcks n the SEG and Kerbers. Kerbers prduces a ticket fr the SEG t authenticate the user n the mail server. The timestamp n that ticket must be n mre than five minutes apart frm the SEG s time clck. Verify the time clck n the SEG and Kerbers are within five minutes apart. Yu als might want t cnsider the use f Netwrk Time Prtcl daemns t keep all time clcks synchrnized. If yu cannt authenticate, evaluate yur netwrk. If yu nly have ne Kerbers server cnfigured, it is pssible the server is nt peratinal. Withut it, n ne can lg in. T stp this frm ccurring, yu might cnsider using multiple Kerbers servers and fallback authenticatin mechanisms. 22
Additinal SETSPN Cmmands, EAS with SEG View SPN: SETSPN l <cmputername Add SPN: SETSPN s <service>/<targetname> <cmputername> Remve SPN: SETSPN d <service>/<targetname> <cmputername> Query fr existing SPN: SETSPN Q <service>/<targetname> <cmputername> 23
Check fr duplicate SPN in the entire frest: SETSPN X 24
Install the Rle in IIS, EAS with SEG Windws Server 2008 r Windws Server 2008 R2 1. On the taskbar, select Start, pint t Administrative Tls, and then select Server Manager. 2. In the Server Manager hierarchy pane, expand Rles, and then select Web Server (IIS). 3. In the Web Server (IIS) pane, scrll t the Rle Services sectin, and then select Add Rle Services. 4. On the Select Rle Services page f the Add Rle Services Wizard, select Client Certificate Mapping Authenticatin, and then select Next. 5. On the Cnfirm Installatin Selectins page, select Install. 6. On the Results page, select Clse. Windws Server 2012 r Windws Server 2012 R2 1. On the taskbar, select Server Manager. 2. In Server Manager, select the Manage menu, and then select Add Rles and Features. 3. In the Add Rles and Features wizard, select Next. Select the installatin type and select Next. Select the destinatin server and select Next. 4. On the Server Rles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Client Certificate Mapping Authenticatin. select Next. 5. On the Select features page, select Next. 6. On the Cnfirm installatin selectins page, select Install. 7. On the Results page, select Clse. 25
Accessing Other Dcuments Accessing Other Dcuments While reading this dcumentatin yu may encunter references t dcuments that are nt included here. The quickest and easiest way t find a particular dcument is t navigate t https://my.airwatch.cm/help/9.2/en/cntent/release_ntes/dc_list_pdfs.htm and search fr the dcument yu need. Each release-specific dcument has a link t its PDF cpy n AirWatch Resurces. Alternatively, yu can navigate t AirWatch Resurces n myairwatch (resurces.air-watch.cm) and search. When searching fr dcumentatin n Resurces, be sure t select yur AirWatch versin. Yu can use the filters t srt by PDF file type and Fr VMware AirWatch. 26