Smartcard-based Certificates are deleted from the local Certificate store when logging on to OWA

Article ID: 2000394 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When you log on to Outlook Web Access (OWA), you cannot digitally sign or encrypt e-mail messages using smartcard-based Certificates.

You also find that your smartcard-based certificates are deleted from the local Certificate Store.

Back to the top | Give Feedback

Cause

When the certificates have been removed, they are not available for any messaging client.

This issue can occur if the following conditions are true:

  • On the workstation used for the OWA session, the S/MIME control for Exchange Server 2003 is installed, either alone or in addition to the S/MIME control for Exchange Server 2007 Service Pack 1.
  •  Internet Explorer is not running in "Protected Mode" for the OWA web site’s Security zone.

Scenarios in which this is likely to happen are:

  • The Exchange mailbox is homed on an Exchange Server 2003 Back-End and accessed via an Exchange Server 2007 Client Access Server.
  • The user has been migrated to a mailbox on an Exchange Server 2007 Mailbox server and has not removed the S/MIME Control for Exchange Server 2003 Add/Remove Programs.

 

Back to the top | Give Feedback

Resolution

There are two possible resolutions:

  • Remove and re-insert the Smartcard into the card reader after logging onto OWA.

    Note:  This is the expected work flow.
  • Ensure that the OWA web site is listed in a Security zone that uses Protected Mode. This is available only for Internet Explorer 7 or higher running on Windows Vista or Windows 2008. 

To configure the Security zone for the OWA we site, use the following steps:

  1. In Internet Explorer, click Tools, click Internet Options and click Security.
  2. Click the Security zone that is required (your choices are Internet, Local Intranet, Trusted Sites and Restricted Sites.

    Note: Many controls of OWA will not function correctly in the Restricted Sites zone or if the Security level for the zone used is too high.
  3. Check the box for “Enable Protected Mode (requires restarting Internet Explorer), then click the Sites button.
  4. Add the OWA site to the list of sites by typing the URL, such as owa.contoso.com, and then click Add, then click Close.
  5. Click the Apply button, click OK and then restart Internet Explorer and connect to OWA.

    NOTE:  When running in "protected" mode, the Internet Explorer cannot automatically delete files from the local Certificates store.
Back to the top | Give Feedback

More Information

  To verify whether certificates are present, use one of the following methods:

Use Internet Explorer

  1. In Internet Explorer, click Tools, click Internet Options, click the Content tab and click the Certificates button.
  2. Click the Personal tab and verify that your certificate is present.
    Note:  One of the intended purposes of the Certificate should be "Secure Email"

Use Windows

  1. Click Start, click Run and type the following command and click enter:

    %userprofile%\Application Data\Microsoft\SystemCertificates\My\Certificates
  2. Verify that a file containing the Thumbprint value of your certificate is present.
Back to the top | Give Feedback
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.
Back to the top | Give Feedback

Properties

Article ID: 2000394 - Last Review: November 25, 2009 - Revision: 8.0
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1
Keywords: 
KB2000394
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top