When you log on to Outlook Web Access (OWA), you cannot digitally sign or encrypt e-mail messages using smartcard-based Certificates.
You also find that your smartcard-based certificates are deleted from the local Certificate Store.
When the certificates have been removed, they are not available for any messaging client.
This issue can occur if the following conditions are true:
- On the workstation used for the OWA session, the S/MIME control for Exchange Server 2003 is installed, either alone or in addition to the S/MIME control for Exchange Server 2007 Service Pack 1.
- Internet Explorer is not running in "Protected Mode" for the OWA web site’s Security zone.
Scenarios in which this is likely to happen are:
- The Exchange mailbox is homed on an Exchange Server 2003 Back-End and accessed via an Exchange Server 2007 Client Access Server.
- The user has been migrated to a mailbox on an Exchange Server 2007 Mailbox server and has not removed the S/MIME Control for Exchange Server 2003 Add/Remove Programs.
There are two possible resolutions:
Remove and re-insert the Smartcard into the card reader after logging onto OWA.
Note: This is the expected work flow.
Ensure that the OWA web site is listed in a Security zone that uses Protected Mode. This is available only for Internet Explorer 7 or higher running on Windows Vista or Windows 2008.
To configure the Security zone for the OWA we site, use the following steps:
- In Internet Explorer, click Tools, click Internet Options and click Security.
- Click the Security zone that is required (your choices are Internet, Local Intranet, Trusted Sites and Restricted Sites.
Note: Many controls of OWA will not function correctly in the Restricted Sites zone or if the Security level for the zone used is too high.
- Check the box for “Enable Protected Mode (requires restarting Internet Explorer), then click the Sites button.
- Add the OWA site to the list of sites by typing the URL, such as owa.contoso.com, and then click Add, then click Close.
- Click the Apply button, click OK and then restart Internet Explorer and connect to OWA.
NOTE: When running in "protected" mode, the Internet Explorer cannot automatically delete files from the local Certificates store.
To verify whether certificates are present, use one of the following methods:
Use Internet Explorer
- In Internet Explorer, click Tools, click Internet Options, click the Content tab and click the Certificates button.
- Click the Personal tab and verify that your certificate is present.
Note: One of the intended purposes of the Certificate should be "Secure Email"
- Click Start, click Run and type the following command and click enter:
- Verify that a file containing the Thumbprint value of your certificate is present.
for other considerations.
Article ID: 2000394 - Last Review: November 25, 2009 - Revision: 8.0
- Microsoft Exchange Server 2007 Service Pack 1