Sending S/MIME encrypted mail from OWA returns the error "Outlook Web Access could not find your digital ID for encryption."

Article ID: 2497165 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Users are unable to send S/MIME signed and or encypted mail in OWA. A dialog box displays the following error message.

Outlook Web Access could not find your digital ID for encryption. If your digital ID is on a smart card, insert the card in the card reader, and then try to send the message again. You may also try sending the message unencrypted.

If your digital ID is not trusted by the Exchange server, you cannot use it to encrypt messages. For more information, contact technical support for your organization.

Cause

The user certificate's Subject or Subject Alternative Name fields must contain an SMTP address that is listed on the account used to login to OWA.

In a default install of Exchange Server 2007 or Exchange Server 2010, if the user certificate is issued to an SMTP address that is not listed on the Active Directory account, then OWA will not use the certificate.

Note:  In order to use S/MIME features in Outlook Web Access, you must be running Exchange Server 2007 SP1 or later versions of Exchange.

Resolution

To resolve this issue, you must obtain a digital ID.
 
If you have a Digital ID that can be used for S/MIME e-mail, but the SMTP address does not match your Exchange Server mailbox account, the Exchange Administrator can enable the following registry value to allow for the selection of the user certificate. This allows users to select the certificate that will be used to sign outgoing messages. The OWA client will bypass the SMTP name check. 
 
Use the steps below to enable this OWA feature.
 
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, click Run and type regedit and press Enter.
  2. Expand  HKLM\System\CurrentControlSet\services\MSExchangeOWA\SMIME
  3. Right click the SMIME key and click New and click DWORD (32-bit)
  4. Name the new DWORD value AllowUserChoiceOfSigningCertificate
  5. Double click AllowUserChoiceOfSigningCertificate and set the value to 1.
  6. Close the registry editor
  7. Click Start, click Run and type cmd and click Enter.
  8. From the command prompt run IISReset /noforce.  Alternatively, you can restart the IIS Admin service in Services.msc.

Once you have configured the registry key, the user will see a new option under the E-Mail security section in the OWA options. There will be a new section to allow the user to manually pick the signing certificate.

  1. Log in to OWA and click Options
  2. Click Email security
  3. Under the "Select Certificate for Mail Signing" section, change the radio button to “manually pick the certificate” 
  4. Click “Choose Signing Certificate…”
    A new window will open displaying available user certificates
  5. Select the appropriate certificate and click OK

When the user sends singed mail, it will be signed with the certificate that was selected. The selection process does not check the SMTP address included in the Subject or Subject Alternative name extensions of the certificate against the SMTP addresseses for the user account in Active Directory.

More Information

With an Outlook client, you can turn off e-mail matching for certificates via a client side registry key. Complete steps for the Outlook client are documented here. http://support.microsoft.com/kb/276597.

 For more information on managing S/MIME settings for OWA, see the following topics from TechNet online.

How to Manage S/MIME for Outlook Web Access (Exchange Server 2007)
http://technet.microsoft.com/en-us/library/bb738151(EXCHG.80).aspx

Manage S/MIME for Outlook Web App (Exchange Server 2010)
http://technet.microsoft.com/en-us/library/bb738151.aspx

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2497165 - Last Review: January 25, 2011 - Revision: 4.0
APPLIES TO
  • Microsoft Exchange Server 2007 Service Pack 1
  • Microsoft Exchange Server 2007 Service Pack 2
  • Microsoft Exchange Server 2007 Service Pack 3
  • Microsoft Exchange Server 2010 Enterprise
  • Microsoft Exchange Server 2010 Service Pack 1
  • Microsoft Exchange Server 2010 Standard
Keywords: 
KB2497165

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com