none
Setup of OWA S/MIME in Exchange 2013 SP1

    Question

  • I'm in the process of migrated my users from Exchange 2010 SP3 to Exchange 2013 SP1 and have come across a problem with the S/MIME configuration.  I have followed the technet articles regarding S/MIME configuration and have an in house CA, setup the virtual certificates repository and have valid user certificates.  I followed the below articles:

    https://technet.microsoft.com/en-us/library/dn554259%28v=exchg.160%29.aspx

    https://technet.microsoft.com/en-us/library/dn626158(v=exchg.150).aspx

    https://technet.microsoft.com/en-us/library/dn626155(v=exchg.150).aspx

    I currently have 2 users mailboxes on this exchange server.  Both have valid "User" certificates but for some reason only 1 is able send encrypted email, but both are able read encrypted email.  I'm not sure if it is a permissions issue or not but my Admin mailbox which was created during installation is the one that is able to both send/receive encrypted emails and my user mailbox can only read encrypted emails.  

    Both accounts S/MIME settings shows that I have the latest S/MIME version installed 4.0500.15.0.1178.4

    I began looking into Set-SMIMEConfig -OWAEncryptionAlgorithms from the below URL hoping this would help.  Initially the OWAEncryptionAlgorithm is only set to "6610" but I was unsure what encryption algorithm my User certificate uses so I added all the possible encryption algorithms with no luck. 

    https://www.granikos.eu/en/justcantgetenough/PostId/178/the-mysterious-exchange-smimeconfig-algorithms

    At this point my main "User" account is unable to encrypt or sign emails.  The options to Encrypt or Digitally Sign the emails under Message options are grayed out so I can't even select the options.  If I go to Gear Icon-->S/MIME Settings and check all 3 options and save it my messages still do not go out encrypted.

    I'm really stumped on this one right now.  Any ideas?  Everything worked fine on my Exchange 2010 setup.

    Below is my Get-SMIMEConfig, anyone see anything wrong with this?

    [PS] C:\Windows\system32>get-smimeconfig


    RunspaceId                                       : fadaa926-249c-4e89-b6b9-65e6e14119c4
    OWACheckCRLOnSend                                : False
    OWADLExpansionTimeout                            : 60000
    OWAUseSecondaryProxiesWhenFindingCertificates    : True
    OWACRLConnectionTimeout                          : 60000
    OWACRLRetrievalTimeout                           : 10000
    OWADisableCRLCheck                               : False
    OWAAlwaysSign                                    : False
    OWAAlwaysEncrypt                                 : False
    OWAClearSign                                     : True
    OWAIncludeCertificateChainWithoutRootCertificate : False
    OWAIncludeCertificateChainAndRootCertificate     : False
    OWAEncryptTemporaryBuffers                       : True
    OWASignedEmailCertificateInclusion               : True
    OWABCCEncryptedEmailForking                      : 0
    OWAIncludeSMIMECapabilitiesInMessage             : True
    OWACopyRecipientHeaders                          : False
    OWAOnlyUseSmartCard                              : False
    OWATripleWrapSignedEncryptedMail                 : False
    OWAUseKeyIdentifier                              : False
    OWAEncryptionAlgorithms                          : 6602:40;6602:56;6602:64;6602:128;6601;6603;660E;660F;6610
    OWASigningAlgorithms                             : 8804
    OWAForceSMIMEClientUpgrade                       : True
    OWASenderCertificateAttributesToDisplay          :
    OWAAllowUserChoiceOfSigningCertificate           : True
    SMIMECertificateIssuingCA                        : {0, 0, 0, 0, 67, 69, 82, 84, 4, 0, 0, 0, 1, 0, 0, 0...}
    SMIMECertificatesExpiryDate                      : 11/23/2018 1:24:50 PM
    SMIMEExpiredCertificateThumbprint                : THUMBPRINT DATA
    AdminDisplayName                                 :
    ExchangeVersion                                  : 0.1 (8.0.535.0)
    Name                                             : Smime Configuration
    DistinguishedName                                : CN=Smime Configuration,CN=Global Settings,CN=DOMAIN,CN=Microsoft
                                                       Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=int
    Identity                                         : Smime Configuration
    Guid                                             : ff4344dd-148e-4b24-95e0-ee97424245ae
    ObjectCategory                                   : DOMAIN.int/Configuration/Schema/ms-Exch-Container
    ObjectClass                                      : {top, container, msExchContainer}
    WhenChanged                                      : 6/1/2016 11:29:50 AM
    WhenCreated                                      : 5/25/2016 10:27:18 AM
    WhenChangedUTC                                   : 6/1/2016 3:29:50 PM
    WhenCreatedUTC                                   : 5/25/2016 2:27:18 PM
    OrganizationId                                   :
    Id                                               : Smime Configuration
    OriginatingServer                                : DC.DOMAIN.int
    IsValid                                          : True
    ObjectState                                      : Unchanged


    ----E----

    Wednesday, June 1, 2016 4:14 PM

Answers

  • Thanks, I figured it out.  Good job ----E----!

    ----E----

    • Marked as answer by ehans67 Monday, June 6, 2016 6:09 PM
    Monday, June 6, 2016 6:09 PM
  • Sure thing, I was literally a check box for me.  I did have everything setup correctly but my user account didn't have the options to send encrypted emails even though it did have a valid User cert.  I had to sign onto OWA from my user account and go to Options.  Under settings there is a Message Format section and I had "Always show From" checked.  Once I unchecked it I was good.


    ----E----

    Tuesday, June 7, 2016 1:16 PM

All replies

  • Hi,

    Do you export valid certificate from root CA?

    We need export certificate to VST file, then use this VST file to configure S/MIME. For example:

    [PS] C:\Windows\system32>Get-ChildItem -Path cert:\LocalMachine\root\"Insert RootCA thumbprint" | Export-Certificate -FilePath C:\temp\allcerts.sst -Type SST
    [PS] C:\Windows\system32>Set-SmimeConfig -SMIMECertificateIssuingCA (Get-Content c:\temp\allcerts.sst -Encoding Byte)

    Here's a similar thread about Exchange 2013 S/MIME setup, for your reference:
    https://social.technet.microsoft.com/Forums/en-US/1b964b36-9129-4fe3-b321-7eca297cb850/exchange-2013-smime-setup?forum=exchangesvrsecuremessaging


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Thursday, June 2, 2016 7:33 AM
    Moderator
  • Yeah that is my post when I was first set up S/MIME.

    ----E----

    Thursday, June 2, 2016 12:51 PM
  • Those were my steps to finally get it implemented.  It worked fine for my Admin account that I installed exchange with, but when I moved 1 mailbox over to EX13 I can't encrypt anything from that user but I can read encrypted emails.  My options to encrypt from my user mailbox are grayed out but not from my admin mailbox.

    ----E----

    Thursday, June 2, 2016 1:22 PM
  • If I wanted to start from scratch how could I remove the RootCA cert from Set-SMIMEConfig?

    ----E----

    Thursday, June 2, 2016 2:52 PM
  • 

    ----E----

    Thursday, June 2, 2016 7:04 PM
  • Any one have any ideas?

    ----E----

    Friday, June 3, 2016 1:57 PM
  • Thanks, I figured it out.  Good job ----E----!

    ----E----

    • Marked as answer by ehans67 Monday, June 6, 2016 6:09 PM
    Monday, June 6, 2016 6:09 PM
  • Hi,

    Glad that the issue solved. Would you please share your resolution?


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Tuesday, June 7, 2016 1:18 AM
    Moderator
  • Sure thing, I was literally a check box for me.  I did have everything setup correctly but my user account didn't have the options to send encrypted emails even though it did have a valid User cert.  I had to sign onto OWA from my user account and go to Options.  Under settings there is a Message Format section and I had "Always show From" checked.  Once I unchecked it I was good.


    ----E----

    Tuesday, June 7, 2016 1:16 PM