none
OWA 2010: Body of S/MIME signed mails not visible

    Question

  • Hello,

    I'm in the process of migrating my Ex2003 environment to Ex2010. When using OWA with a mailbox on the Ex2010 mailbox server, the body of S/MIME signed mails is not visible. I can see the sender and the subject but the text field just tells me "This message has a digital signature. The digital signature couldn't be validated because the S/MIME control isn't available." but nothing else. After installing the control, the mail is properly displayed when using IE but clients who don't have IE are out of luck.

    In my test environment, the above message is also displayed but at least I can read S/MIME signed mails using FF etc.

    I can't fiigure out what the difference between test and production is... I have quite a flat environment (1 Ex2003 front-end, 1 Ex2003 back-end, 1 Ex2010 CAS and 1 Ex2010 mailbox server)  and followed the Exchange 2010 deployment wizard.

    Any hint would be greatly appreciated.

    Georg.

    Monday, June 13, 2011 12:15 PM

Answers

  • Hi,

    I just wanted to let you know what I found out with the help of Microsoft Support. There appears to be an issue in the communication between the Exchange 2003 mailbox server and Exchange 2010, and in our configuration with a Unix mail gateway for external messages, it only affects internal senders. So it is much less serious than it originally seemed... simply migrate users who are using S/MIME to Exchange 2010 first.

    Georg.

     

    Thursday, July 21, 2011 7:20 AM

All replies

  • Hi:
       >>After installing the control, the mail is properly displayed when using IE but clients who don't have IE are out of luck.
          Which brower does your client use (firefox,your system is MAC)?
          Why don’t your clients download and install IE 7/8?
          Do your clients log in owa light mode? it is not supported.
       >>In my test environment, the above message is also displayed but at least I can read S/MIME signed mails using FF etc
        If IE/FF works well, configuration of owa is correct. 
        Users must have a digital ID and must install the S/MIME control for Outlook Web App before they can send encrypted and digitally-signed messages using Outlook Web App. They must also have a digital ID and the S/MIME control to read encrypted messages in Outlook Web App. The S/MIME control is necessary to verify the signature on a digitally-signed message.
        1. You should make sure your user install S/MIME control and certificate on their workstation.
        2. You should update version of brower and restore it to default setting.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, June 14, 2011 2:09 AM
  • Hello,

    thanks for the response. We are a mixed environment (Windows, Linux, Solaris, Mac), so I have to have OWA run wit non-IE browsers. Users do not use light mode.

    Users just want to be able to simply READ digitally signed messages, so they don't need their own digital ID, and they don't need the S/MIME control.

    In my test environment, it works as it should. In production, it doesn't. Users see the sender and the subject but not the body of the mail. So far, I haven't found any browser which could display the entire mail (including IE without the control), so this appears to be a server issue.

    What could be problem?

    Georg.


    Tuesday, June 14, 2011 9:23 AM
  • Hi
    Requirements to Support S/MIME in Outlook Web App
       
    S/MIME requires that users sign in to Outlook Web App using Microsoft Internet Explorer 7 or Internet Explorer 8. In addition to requiring Internet Explorer 7 or Internet Explorer 8, S/MIME also requires that Secure Sockets Layer (SSL) be used by the /owa virtual directory. S/MIME is not supported in Outlook Web App Light.

    Using S/MIME in Outlook Web App
          Users must have a digital ID and must install the S/MIME control for Outlook Web App before they can send encrypted and digitally-signed messages using Outlook Web App. They must also have a digital ID and the S/MIME control to read encrypted messages in Outlook Web App. The S/MIME control is necessary to verify the signature on a digitally-signed message.

    The S/MIME control for Outlook Web App is installed on a user’s computer by using the SMIME tab in Options. After the user has received a digital ID and the S/MIME control has been installed on their computer, they can use S/MIME to help secure e-mail mail messages.
    You can read this article.
    http://technet.microsoft.com/en-us/library/bb738140.aspx
    Can you try to install S/MIME control and digital for one windows client in your production environment?
    Maybe the result can narrow down the issue.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, June 16, 2011 1:44 AM
  • Hi,

    I think I understand the requirements to use the full functionality of S/MIME. My only requirement is that users be able to read digitally signed messages using non-IE browsers. I understand that they will neither be able to verify the digital ID nor read encrypted messages.

    When I install the S/MIME control it works as designed for the IE but FF, Google Chrome etc are still out of luck.

    In the meantime I have installed a second mailbox server and tried the client access on the first mailbox server (which also has the CAS role installed). Still no luck.

    The only difference between test and production that comes to my mind is that in the test bed Rollup 2 was installed first and Rollup 3-v3 later on while in production, Rollup 3-v3 was installed directly. I uninstalled Rollup 3-v3 on the CAS/MBX server and on the second MBX server and went to Rollup 2, but that doesn't work either.

    Georg.

     

     

    Thursday, June 16, 2011 6:20 AM
  • Hi,

    I just wanted to let you know what I found out with the help of Microsoft Support. There appears to be an issue in the communication between the Exchange 2003 mailbox server and Exchange 2010, and in our configuration with a Unix mail gateway for external messages, it only affects internal senders. So it is much less serious than it originally seemed... simply migrate users who are using S/MIME to Exchange 2010 first.

    Georg.

     

    Thursday, July 21, 2011 7:20 AM
  • Hi
       Thank you for sharing your experience. Does Unix mail gateway cause this error or there is bug of exchange 2003 and exchange 2010?
    Thursday, July 21, 2011 7:24 AM
  • I have probably chosen the wrong words. By internal users, I meant users who have their mailboxes on Exchange 2003. The bug (I would say it is a bug) is between Ex2003 and Ex2010. Interestingly enough, the Unix gateway forwards to the Ex2003. Such mails are readable in FF even if they are signed, only S/MIME signed mails which originate on the Ex2003 are unreadable in FF.

    Georg.

    Thursday, July 21, 2011 7:41 AM