General username and password authentication to Exchange Server 2010 ActiveSync, while good enough for most purposes, can become troublesome in environments that have complex requirements. For example, in an environment where user accounts require password changes on a regular basis.
Although a user can log into Outlook Web App or use a desktop computer to change their password, no such method exists for ActiveSync clients to achieve the same thing. In addition, the experience when a user changes their Active Directory password is less than ideal on the mobile device and can cause end user issues such as account lockouts. With certificate-based authentication to Exchange ActiveSync, the end-user no longer uses a password for authentication to Exchange, but instead uses a private and public key pair to identify the user accessing Microsoft Exchange.
This also has the benefit that by ensuring that only clients presenting a valid certificate can gain...