Single Sign on provides users with seamless and secure access to corporate email.

Xen Mobile Device Manager directly integrates in to a public key infrastructure (PKI) providers in order to generate and deliver certificates to devices. User Certificate Authentication is the same, regardless of whether the CA is built by Microsoft, Cisco, Symantec, Entrust, etc. The user certificates is created based in user attributes usually User Principal Name, then we can validate authentication based in the status of the certificate.


  • Digital Signature
  • Expiration date
  • Revoked status
  • Private key, Public possession

Once device is enrolled in to the XDM, certificates for authentication could be generated and delivered to devices, via policy or XDM/AppC integration. Reference this PDF file on to configure PKI integration for XenMobile.

Now that you have the  important pieces together, your PKI integration is working and you can push certificates to your device using XDM policies. Lets get in to WorxMail and Certificate Authentication. XenMobile Device Manager and XenMobile Appcontroller integration provides CBA for WorxHome as defined on the XenMobile Authentication document. When enabled XDM will request and push a Certificate to the device WorxHome including the User Principal Name certificate for that user. This certificate is then securely stored and password protected (WorxPin)  in Worx Home Secure Vault. making it available for WorxMail when Certificate Base Authentication is enabled in Exchange Active Sync.

  • Option 1  Configure Exchange for Certificate Base Authentication, in this scenario WorxMail will need to point directly to EAS CaS and the CaS Virtual Directory needs to be configure for Client Base Authentication see document attached.

  • Option 2  When using Netscaler for Load Balancing and offloading CaS traffic, the user certificate is usually not passed to the client.  Netscaler AAA Provides Kerberos Constraint Delegation, where we could use the Certificate to provide authentication at the Netscaler using an authentication server, then delegating the authentication to the CaS server using a Keytab account. See document attached in how to configure KCD for WorxMail SSO using Netscaler.