How to resolve users getting locked out of directory accounts when using certificate authentication
This article applies to Mobile Email Management deployments in AirWatch that are leveraging certificate authentication for mobile devices. In these implementations, it is often necessary to have credentials filled in the Exchange Activesync (EAS) profile even if you are not using basic authentication (depends on the client used and overall network). If no credentials are provided during the basic authentication step, you may receive a failure to authenticate even if a user's certificate is correct. If a user's normal directory credentials are supplied, users may become locked out of their directory account after attempting to authenticate via certificate.
When configuring an EAS profile in the AirWatch Console that utilizes certificate authentication as single-factor authentication, we recommend configuring a "dummy" email address/username in the appropriate fields. This will ensure that a user's directory account does not get locked out during the authentication flow, and will ensure that if a client attempts basic authentication before certificate authentication, the process will successfully move to certificate authentication.
Note: If two-factor authentication is required (using both basic and certificate authentication), then "dummy" variables cannot be used in these fields.