HTTP 413 Errors in IIS logs with ActiveSync and Certificate Based Authentication

Scenario: After setting up Certificate Based Authentication for ActiveSync, users on mobile devices may experience the following error message: “Cannot Send Mail.The message was rejected by the server because it is too large”. When you check the IIS logs, you may see HTTP 413 errors. Our Environment: Exchange 2013, Windows Server 2012, IIS 8.0.
Reason: The client connection was dropped to prevent DeadLock. The server requests renegotiation for certificate authentication, and the content length the client is trying to send is larger than the value of the UploadReadAheadSizemetabase property in IIS.
WorkAround: The workaround below will re-bind the certificate to enable client certificate negotiation upfront.
Re-bind the certificate and enable ClientCertNegotiation:
1. netsh http show sslcert <– Copy the results to notepad.
2. netsh http delete sslcert hostnameport=<hostnameport>:443
3. netsh http add sslcert hostnameport=<hostname>:443 certhash=<certhash> appid=<appid> certstorename=MY clientcertnegotiation=enable <– Use copied results from step 1 to fill in these values)
Note: We have a separate IIS Site with EAS setup for Certificate Based Authentication. We use a separate certificate on this site so we can enable clientcertnegotiation on the certificate. Another work around would be to change the UploadReadAheadSize on the Web Server, the website that hosts the EAS subsite, and the EAS subsite.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: