Unexpected behavior with smart card credentials in Outlook 2010 and Outlook 2013

Applies to: Microsoft Outlook 2010Outlook 2013

Symptoms


Your smart card PIN is blocked when you use Microsoft Outlook 2010 or Microsoft Outlook 2013 to connect to a mailbox on Microsoft Exchange Server.

Cause


The Outlook client is not properly configured to work with saved smart card credentials.

Resolution


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To resolve this issue, remove any existing certificate-based credentials from the Credential Manager and use the EnableSmartCard registry setting.

Remove existing certificate based credentials

The first step to prevent a PIN lockout is to delete any existing certificate based credentials that were saved by Outlook.
  1. Open Control Panel.
  2. Double-click Credential Manager.
  3. See whether there is a Certificate-Based credential similar to the following:

    @@BSUgiZQZ54Pf6cEtxKflWHH

    Also, see whether there is a Generic credential similar to one of the following:

    MS.Outlook.14:user@domain.com:PUT
    MS.Outlook.15:user@domain.com:PUT

    Note 14 indicates Outlook 2010 saved the credential and 15 indicates Outlook 2013.
  4. If these are both present and were created or changed at the same time, they are likely smart card credentials saved from Outlook. Click the first credential to expand it and to show the details. Then, click Remove to delete the credential from Credential Manager.
  5. Repeat step 4 for each one of the credentials listed in step 3.
  6. When you are finished, close Credential Manager.

Configure the EnableSmartCard registry setting

The second step to prevent a PIN lockout is to create the EnableSmartCard registry setting.
Outlook 2010
For Outlook 2010, the EnableSmartCard registry setting was introduced with the Microsoft Outlook 2010 hotfix package dated December 13, 2011 (KB2597028). We recommend that you install the most recent build of Outlook 2010. For more information about the latest applicable updates for Outlook, click the following article number to view the article in the Microsoft Knowledge Base:
2625547 How to install the latest applicable updates for Microsoft Outlook (US English only)

To create the EnableSmartCard registry value, follow these steps:
  1. Exit Outlook.
  2. Start Registry Editor.
  3. Create the following registry values at the specified locations:

    Note Manually create any registry keys or values if they do not exist.

    Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
    DWORD: EnableSmartCard
    Value: 1
  4. Exit Registry Editor.

Outlook 2013
To create the EnableSmartCard registry value, follow these steps:
  1. Exit Outlook.
  2. Start Registry Editor.
  3. Create the following registry values at the specified locations:

    Note Manually create any registry keys or values if they do not exist.

    Key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\RPC
    DWORD: EnableSmartCard
    Value: 1
  4. Exit Registry Editor.

More Information


The EnableSmartCard registry setting adds the following functionality:
  • Presents a Credentials Dialog that supports smart card credentials.
  • Unpacks the authentication package from the credentials dialog so that the credentials can be used correctly.
The EnableSmartCard registry value was introduced in the Outlook 2010 hotfix package dated December 13, 2011. For more information about the hotfix package, click the following article number to view the article in the Microsoft Knowledge Base:
2597011 Description of the Outlook 2010 hotfix package (x64 Outlook-x-none.msp; x86 Outlook-x-none.msp): December 13, 2011