In Exchange 2003 FE/BE configuration, Active Sync default virtual directory authentication is set to basic. Admins have to rely to transport level security, such as IPSEC, to secure proxying credentials from frontends to backends.
By introducing CAS role as a replacement for FE, our group immediately ran into problems. The toughest problem was actually to set "Integrated Authentication" because ds2mb service will overwrite our attempt to set it in IIS snap-in. We found this KB, thanks to my co-worker, and that enabled us to set the correct authentication option.