none
S/MIME Autoenrollment and Automatic Outlook Configurations

    Question

  • Hello,

    I hope this is the right forum for posting this message.

    I just finished deployin in my organization an AD CS (Active Directory Certificate Services) in order to create S/MIME certificate for all users to allow them to Sign and Encrypt emails.

    I'm using Windows 2008 Enterprise Edition, and Exchange 2007.
    All users have Outlook 2007 on their workstations.

    I duplicate the User Certificate Template and configured Autoenrollment for users and the appropriate GPO as well - and users are getting their certificate correctly.

    I do have other questions:

    1. User template includes more than just digitally sign and encrypt emails (EFS for example), are there any other template that I can duplicate that does only signing and encryption of emails?

    2. after each user got his new certificate, I still need to go the outlook of each user in order to configure in under the Option -> Trust Center and mark "Digitally sign" and "Encrypt" all outgoing emails. is there a way to do it by Script or GPO (ADM)?

    3. Under the outlook trust center settings, there is an options to "Publish To Gal", although I'm performing Autoenrollment, and each user got his certificate in the Active Directory, I still can't send a new encrypted email to someone before he is sending me a digitally signed email and I'm replying to it. is there another way to do it? or perform the "Publish to gal" by a script?

    Best Regards,

    Ploni.

    Monday, January 26, 2009 11:22 AM

Answers

  • Hi Ploni,

    1) The User certificate template is definitely not the best  choice for email encryption and signing. First of all, I recommend using separate email and signing certificates. If you combine them (and archive the encryption certificate), then it is possible to recover a signing certificate (allowing impersonation).

    I would recommend duplicating the following certificate templates:

    Signing = Exchange Signature Only

    Encryption = Exchange User

    For each, enable autoenrollment for your target global or universal group. Ensure that you only have enabled E-mail name as a SAN.

    2) The user will have to go into trust center once and once only. Outlook will automatically choose the correct certificates fro signing and encryption (as long as you use my recommendations above and only issue one certificate of each type to each user. Also ensure that no other certificates, like User or a copy of user, are deployed. Otherwise, they need to carefully choose the correct certificates.

    3) There is no need to publish to gal as long as you enabled the Publish certificate in Active Directory option in the encrytion certificate. Investigate the user's userCertificate attribute. This is the attribute that contains the user's certificate. The Publish To Gal button is a throwback to Exchange 5.x when user smime certificates (if X.509v3) were signed in a PKCS#7 envelope and published to the UserSMIMEcertificate attribute (to prove that they had an X.509v3 not an X.509 v1 certificate issued by KMS).

    Brian

    Monday, January 26, 2009 9:31 PM

All replies

  • Hi Ploni,

    1) The User certificate template is definitely not the best  choice for email encryption and signing. First of all, I recommend using separate email and signing certificates. If you combine them (and archive the encryption certificate), then it is possible to recover a signing certificate (allowing impersonation).

    I would recommend duplicating the following certificate templates:

    Signing = Exchange Signature Only

    Encryption = Exchange User

    For each, enable autoenrollment for your target global or universal group. Ensure that you only have enabled E-mail name as a SAN.

    2) The user will have to go into trust center once and once only. Outlook will automatically choose the correct certificates fro signing and encryption (as long as you use my recommendations above and only issue one certificate of each type to each user. Also ensure that no other certificates, like User or a copy of user, are deployed. Otherwise, they need to carefully choose the correct certificates.

    3) There is no need to publish to gal as long as you enabled the Publish certificate in Active Directory option in the encrytion certificate. Investigate the user's userCertificate attribute. This is the attribute that contains the user's certificate. The Publish To Gal button is a throwback to Exchange 5.x when user smime certificates (if X.509v3) were signed in a PKCS#7 envelope and published to the UserSMIMEcertificate attribute (to prove that they had an X.509v3 not an X.509 v1 certificate issued by KMS).

    Brian

    Monday, January 26, 2009 9:31 PM
  • Hi Brian,

     

    In regards to your answer to #3 - In my experience, even if I've selected "Publish Certificate in Active Directory" in the template and have had users autoenroll against that template, when I check their AD profiles, I see that neither "userCertificate" nor "userSMIMECertificate" exists.  If I have the user manually select their cert in Outlook and click "Publish to GAL", then the "userSMIMECertificate" attribute appears in their profile and is populated with the cert thumbprint.  "userCertificate" remains unpopulated.  Does that sound strange?

    In my environment, we have Exchange 2003 and Win2K3 domain controllers.  

    Monday, July 26, 2010 7:25 PM
  • On Mon, 26 Jul 2010 19:25:08 +0000, Mike Bruno wrote:

    Hi Brian,

    ?

    In regards to your answer to #3 - In my experience, even if I've selected "Publish Certificate in Active Directory" in the template and have had users autoenroll against that template, when I check their AD profiles, I see that neither "userCertificate" nor "userSMIMECertificate" exists. ?If I have the user manually select their cert in Outlook and click "Publish to GAL", then the "userSMIMECertificate" attribute appears in their profile and is populated with the cert thumbprint. ?"userCertificate" remains unpopulated. ?Does that sound strange?

    In my environment, we have Exchange 2003 and Win2K3 domain controllers.

    You need to look at the event log on your CA(s) and check for errors
    regarding publishing to AD. The CA should definitely be able to publish to
    AD.
    Can you describe your AD infrastructure and PKI deployment a little bit?
    Are you CA(s) members of the Cert Publishers group in the domain that
    contains your user accounts?


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, July 26, 2010 7:31 PM
  • Paul,

    Thanks, I think I answered my own question yesterday.  The CA was not in the cert publishers group in the domain where the user accounts live.  Once the EA takes care of that for me, I think I'll be in good shape.  Luckily, we haven't enrolled many users yet.  This is an easy one that I should have caught :(

    Tuesday, July 27, 2010 12:31 PM
  • Hi guys,

    I've a problem with this.

    My autoenrollment doesn't work..

    I've made those 2 templates via Windows Server 2008 PKI & Certificate Security and I want to autoenroll them but it doesn't work?

    Template info:

    -On the request tab i've set Prompt the user during enrollment and require user input when the private key is used

    -On the security tab i've enabled enroll and autoenrollment for domain users

    -On the subject tab i've set Build from this active directory information on E-mail name

    Is there anything else i have to do to make autoenrollment work?

    I have done autoenrollment for EFS and codesigning/documentsigning. This works perfectly

    Anyone has a suggestion on this?

    Thanks

    Wednesday, April 10, 2013 7:39 AM
  • Solved problem -.- didn't notice the notification in the right bottom corner.

    Thanks anyway ;-)

    Wednesday, April 10, 2013 8:28 AM
  • Hi Brian,

    we have an issue with this. Everything is setup as u say but if we don't publish in additional the certificate to the GAL we can't send encrypted emails to a person. We run Exchange and Office 2013. The certificates are in the AD. The right certificate is also selected by Outlook 2013. Until there everything is ok.

    But it's impossible to send an encrypted email to someone in the company if we don't sign the email and then on the other side this person address the signature to his outlook contact.

    Alain

    Thursday, June 18, 2015 1:03 PM