Solved

Email Security (S/MIME)

Posted on 2004-04-08
18
5,241 Views
Last Modified: 2010-08-05
Hi

I have followed the steps to create secure email using Email Security (S/MIME) I have also created my own CA in my 2003 server. I am running AD 2003 and exchagne 2003.

the CA installed fine, and I can use OWA using HTTPS without issue. I now want to be able to secure email in outlook, but im not sure how to import a certificate into outlook so i can encrypt or digitaly sign my emails.

Thanks for any help
0
Comment
Question by:kjman
  • 9
  • 9
18 Comments
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
Did you enable auto enrollment for the clients? there's a good article on msexchange.org for this.

http://msexchange.org/tutorials/Email_Security_with_Exchange_2003.html

My full compliments to Markus Klein.....

D
0
 

Author Comment

by:kjman
Comment Utility
Hi

I followed that artilce to set this up, and it seems to be working, my problems is how do i import a cert or digital ID into Outlook so i can encrypt email? I have to have a certificate that outlook see's to be able to do this, and this is my issue.

Funny thing is from Outlook if i go to tools options and security if i click on the publish to GAL button I get a message that says "there are no valid security settings to publish. Would you like to remove your previously published settings?" if i click Yes to this it removes the certificate that i imported to my account in ADUC using the published certificates tab in ADUC.

Skip
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
So it seems to auto-enroll, but Outlook doesn't recognize it, is that the case now? What version of Outlook are you using?

D
0
 

Author Comment

by:kjman
Comment Utility
Yes it appears to auto enroll just fine. I'm running Outlook 2003, and im accessing the remote exchagne server via RPC over HTTP, and my workstation is not part of the 2003 AD domain. I'm starting to think that my XP pro workstation must have a computer account in the AD domain?

Thanks again for the help with this.
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
I'll have to dig around for that one, I haven't seen this problem before. HAng in there....

d
0
 

Author Comment

by:kjman
Comment Utility
Ok thanks again

Skip
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
http://support.microsoft.com/default.aspx?scid=kb;en-us;833401

Obtain a certificate from a third-party certification authority (CA).

To enable and to require SSL for all communications between the RPC proxy server and the Outlook clients, you must obtain and publish a certificate at the default Web site level. Microsoft recommends that you purchase your certificate from a third-party certification authority whose certificates are trusted by a wide variety of Web browsers.

Important As an alternative, you can use the Certification Authority tool in Windows to install your own certification authority. By default, Web browsers do not trust your root certification authority in this scenario. When a user tries to connect in Outlook 2003 by using RPC over HTTP, that user loses the connection to Exchange. The user is not notified. The user loses the connection when any one of the following conditions is true:
The client does not trust the certificate.
The certificate does not match the name that the client tries to connect to.
The certificate date is incorrect.
Therefore, you must make sure that the client computers trust the certification authority. For additional information about how to trust a root certification authority, click the following article number to view the article in the Microsoft Knowledge Base:
297681 Error message: This security certificate was issued by a company that you have not chosen to trust

Any of this look familiar to your situation?

D
0
 

Author Comment

by:kjman
Comment Utility
I have already isntalled my own CA, and i am accessing the exchange server via RPC and HTTPS and it is working fine. In order for client web browesers to trust your CA, the client must first isntall your CA, or the CA that you have isntalled/built. client machines can do this by going to for example https://mail.insuranceskillscenter.com/rootinstall.asp once you install the certificate you will no longer get a pompt that says that "this certificate is not a trusted certificate" because you have installed the companys root CA in your webbrowser lsit of trusted CA's.

This part is working like a charm.
Skip
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
ok, just checking.

When you use the Publish to GAL feature, the public key is written to the UserSMIMECertificate Active Directory object. When you are in an environment that uses a Certificate Server, your public key is automatically written to the UserCertificate object.

Check to see where or if this key is being written. Is it possible that the user objects already have something in place, that needs to be removed for this value?

D
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 24

Accepted Solution

by:
David Wilhoit earned 500 total points
Comment Utility
oh, and 128 bit only, right?

D
0
 

Author Comment

by:kjman
Comment Utility
When i hit he "publish to GAL" button it thinks that there are no valid  security settings to publish and then it asks if i want to remove my previously isntalled certificate. What cert is it refering to? I cant see one in outlook. I think I should be able to go to https:\\domainname.com\certsrv and then download the certificate that i setup to encrypt my email. Once the cert has been downloaded i should then be able to from within Outlook import this certificate, then once imported i would be good to go.

Do you mean to look in the Certificates MMC snapin? when i do I see no certificate in the "Active Directory User object" is this the store you are refering to? I should be able to import it in if this is indeed the right store for the certificate.

Skip
0
 

Author Comment

by:kjman
Comment Utility
YEs it is all 128 bit
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
YEa, I'm just trying to think in terms of the web client, since you're connecting as a webclient with Outlook. If the EXchange server has downloaded the cert, as it would need to do for OWA S/MIME, then you should be able to connect with Outlook over https in the same manner as OWA connects....at least that's my theory at the moment. I'm not in a position to test this theory. Since it's also operating in cached mode, it makes me wonder if it's behaving like an offline client....something to look at....

D
0
 

Author Comment

by:kjman
Comment Utility
Holly Sh#$#T I got this to work, and from screwing around with it so much im finding it hard to remember what exaclty i did to get this to work. I wanted to let you know, and i will report back in a few minutes with what i think i did to get this to work.

Skip
0
 

Author Comment

by:kjman
Comment Utility
Ok this is what i did.

I went to the Certificates MMC snap in, and set the focus to the current user, (i say this because when you open this MMC it asks you who  are what user you want to set the focus on) I then drilled down to the personal certificate store. I found my certificate that I issued to myself ealier, I then right clicked on it wnet to all tasks and then highlighted export. On the export page i chose to export the private key, I gave it a password, and then exported this key to the desktop. I then from within the certifiates MMC highlighted Active Directory user objects certificate fodler, right clicked on the certificates folder, and selected import, i then browsed for the certificate that i exprorted earlier selected this cert, and imported the cert into the Active Directory user object store.

I still had to, and im not entirely sure i had to do this step, but from the server I emailed myself the exported certificate from the personal store in the certificates snap in. Once i got this cert, on my PC i was able to import it in using Outlook.

My last question would be if i want to send an encrypted email to a user who could be on any type of email server, does the server the recipient belongs to need to have its CA in place in order to decrypt and read the eamil?

Thanks again for your help you certialy got me thinking in the right direction.
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
That tells me that something got missed before, though I'm not sure how. The AD user object must get this cert written to the object before the client can use it. So although auto-enroll said it happened, it apparently had not. Once it was on the user object, the next step should, and I say should, have been unnecessary, because auto-enroll is supposed to write this object for you. You did it manually. The Outlook import should happen on the AE process as well.

So, for the last part, not sure. I would think that for encryption, they would need to trust your particular CA, which is why 3rd party is suggested. Otherwise, I'd reason that only recipients in your local domain CA would be able to decrypt the messages. Not 100% on that one, my PKI knowledge is very limited, though it's a "push" of mine right now.

Congrats!

D
0
 

Author Comment

by:kjman
Comment Utility
I alos wanted to mention that a remote user should be able to go to https:\\domainname.com\certsrv and isntall the proper certificate for encrypting emails. Once the certificate has been installed on the local machine, in my experiece the user still needed to load certificate MMC snapin go to the personal certificates folder, right click on the certificate that you jsut got done downloading and select Export. Doing this will convertthe Certificate to a .pfx file, with an envolope looking icon. Then from within Outlook you can import this .PFX file and you are all set.

Im interested in your thoughts on this.

Skip
0
 
LVL 24

Expert Comment

by:David Wilhoit
Comment Utility
Sounds like it would work to me, I'm experimenting at home with a setup for PKI, but I hadn't given much consideration to remote clients other than OWA. I'll be checking it out soon though. I'd like to implement PKI at my current place of employ :)

D
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now