Article ID: 2497165 - View products that this article applies to.
Users are unable to send S/MIME signed and or encypted mail in OWA. A dialog box displays the following error message.
The user certificate's Subject or Subject Alternative Name fields must contain an SMTP address that is listed on the account used to login to OWA.
In a default install of Exchange Server 2007 or Exchange Server 2010, if the user certificate is issued to an SMTP address that is not listed on the Active Directory account, then OWA will not use the certificate.
Note: In order to use S/MIME features in Outlook Web Access, you must be running Exchange Server 2007 SP1 or later versions of Exchange.
To resolve this issue, you must obtain a digital ID.
If you have a Digital ID that can be used for S/MIME e-mail, but the SMTP address does not match your Exchange Server mailbox account, the Exchange Administrator can enable the following registry value to allow for the selection of the user certificate. This allows users to select the certificate that will be used to sign outgoing messages. The OWA client will bypass the SMTP name check.
Use the steps below to enable this OWA feature.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Once you have configured the registry key, the user will see a new option under the E-Mail security section in the OWA options. There will be a new section to allow the user to manually pick the signing certificate.
When the user sends singed mail, it will be signed with the certificate that was selected. The selection process does not check the SMTP address included in the Subject or Subject Alternative name extensions of the certificate against the SMTP addresseses for the user account in Active Directory.
With an Outlook client, you can turn off e-mail matching for certificates via a client side registry key. Complete steps for the Outlook client are documented here. http://support.microsoft.com/kb/276597.
For more information on managing S/MIME settings for OWA, see the following topics from TechNet online.
How to Manage S/MIME for Outlook Web Access (Exchange Server 2007)
Manage S/MIME for Outlook Web App (Exchange Server 2010)
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2497165 - Last Review: January 25, 2011 - Revision: 4.0