Connect using Client SSL Certificate

Hi there

I’ve been looking for a Windows 8 Exchange Web Services (EWS) capable client.  My company only exposes EWS and EAS (no OutlookAnywhere).

However, the kicker is we can only connect to ActiveSync or AWS with a valid Client User SSL Certificate that has been generated to our client devices.

Can I specify this within EM Client?  I need to use it for Transport Level encryption.

I have added the client cert to my PC and the Windows 8 Mail client works without a problem (this is activesync).  The EmClient does not work however to the same server (using EWS).

I have added the client certificate into Mail Settings and assigned it to my work email account.

Thanks

Hello Matt, eM Client does not support ActiveSync and can only synchronize your account using EWS the Exchange Web Services protocol. If your user SSL certificate is setup correctly you should be able to connect using EWS, but if you’re forced to redirect to the ActiveSync server you won’t be able to fetch incoming data.

Did you setup the account using the automatic setup, can you please make a screenshot of your account settings, or are you unable to finish the setup?

Regards,

Hi Paul

Thanks for taking the time to reply.

The error I am getting is “The request was aborted: Could not create SSL/TLS secure channel.”

Just to confirm, my question here is does Em Client support User Client Authentication SSL certificates ?

The URL is (this is also what I have configured in Em Client) is: https://outlook.company.com/EWS/Exchange.asmx

EWS definitely works.  Both EWS and EAS are exposed through the same URL.  

I have my user certificate from (private key) imported into my Personal Key User Store.

When I open this URL in Internet Explorer, it prompts me to select OK on “Confirm this certificate by clicking OK” it works without an issue and shows loads /ews/Services.wsdl

For me to establish an SSL/TLS connection to EWS, I need a cert.  This establishes the SSL ocnnection, then the username and password security is used.  Without my client using the user SSL certificate no session can be established.

Hope this makes sense.

Thanks, Matt

Not sure if this helps, but looking at event viewer, I can see this:

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.

How can I confirm that the user SSL certificate is being used as part of the session creation?

Hello Matt, sorry for the belated reply, can you please go to Tools > Settings > Advanced, and enable Network logging in eM Client? Save the settings and restart the application, wait for the application to finish the initial sync and submit the network logging data to us using the “Send logs” button.

Please submit the data to my work mail, [email protected] and please include a reference link to this forum topic.

Thank you,

Sent.  Thank you Paul.

Hello again Matt, thank you for the received file, I can see that the application is unable to detect the SSL certificate in the store, I’ve discussed this issue with the developers and found it is unfortunately not completely supported or possible in eM Client to use this certificate with your account.

We’re currently using a method to fetch an SSL certificate from the Certificate store while using ActiveSync on Outlook.com servers, but unfortunately it is not possible to include this option for EWS - in your specific case. Unfortunately this method is not documented by Microsoft either which currently doesn’t allow us to improve this for use with your setup.

We’ll be however looking into more options on how to improve this behaviour, but unfortunately it is not possible to connect using this SSL certificate at the moment.

Thank you for reporting this and sorry for the inconvenience,

Hi Paul

Okay, not a problem - thank you so much for looking into this with your developers.

is it possible to enable ActiveSync for on-premise Exchange environment?  I’m happy to use either EAS or EWS. 

Thanks, Matt

Hello Matt, unfortunately eM Client does not support ActiveSync for Exchange account setups due to the protocol licensing details.

Regards,