Sending S/MIME encrypted mail from OWA returns the error "Outlook Web Access could not find your digital ID for encryption."
Users are unable to send S/MIME signed and or encypted mail in OWA. A dialog box displays the following error message.
Outlook Web Access could not find your digital ID for encryption. If your digital ID is on a smart card, insert the card in the card reader, and then try to send the message again. You may also try sending the message unencrypted.
If your digital ID is not trusted by the Exchange server, you cannot use it to encrypt messages. For more information, contact technical support for your organization.
The user certificate's Subject or Subject Alternative Name fields must contain an SMTP address that is listed on the account used to login to OWA.
In a default install of Exchange Server 2007 or Exchange Server 2010, if the user certificate is issued to an SMTP address that is not listed on the Active Directory account, then OWA will not use the certificate.
Note: In order to use S/MIME features in Outlook Web Access, you must be running Exchange Server 2007 SP1 or later versions of Exchange.
- Click Start, click Run and type regedit and press Enter.
- Expand HKLM\System\CurrentControlSet\services\MSExchangeOWA\SMIME
- Right click the SMIME key and click New and click DWORD (32-bit)
- Name the new DWORD value AllowUserChoiceOfSigningCertificate
- Double click AllowUserChoiceOfSigningCertificate and set the value to 1.
- Close the registry editor
- Click Start, click Run and type cmd and click Enter.
- From the command prompt run IISReset /noforce. Alternatively, you can restart the IIS Admin service in Services.msc.
Once you have configured the registry key, the user will see a new option under the E-Mail security section in the OWA options. There will be a new section to allow the user to manually pick the signing certificate.
- Log in to OWA and click Options
- Click Email security
- Under the "Select Certificate for Mail Signing" section, change the radio button to “manually pick the certificate”
- Click “Choose Signing Certificate…”
A new window will open displaying available user certificates
- Select the appropriate certificate and click OK
When the user sends singed mail, it will be signed with the certificate that was selected. The selection process does not check the SMTP address included in the Subject or Subject Alternative name extensions of the certificate against the SMTP addresseses for the user account in Active Directory.
With an Outlook client, you can turn off e-mail matching for certificates via a client side registry key. Complete steps for the Outlook client are documented here. http://support.microsoft.com/kb/276597.
For more information on managing S/MIME settings for OWA, see the following topics from TechNet online.
How to Manage S/MIME for Outlook Web Access (Exchange Server 2007)
Manage S/MIME for Outlook Web App (Exchange Server 2010)
Article ID: 2497165 - Last Review: 01/25/2011 20:42:00 - Revision: 4.0