Outlook Web Access S/MIME Control-Related Settings
Registry Keys
This topic contains information about registry settings that can be used to configure Microsoft® Office Outlook® Web Access clients using the Secure/Multipurpose Internet Mail Extensions (S/MIME) control. These settings are applied on the Exchange server that contains the user's inbox. In a front-end and back-end architecture, this server will be the back-end server. All registry keys are added under the key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeWeb\OWA\
This key does not exist by default and must be added before adding additional registry keys. To add registry keys, you must use an account that is a member of the system's Local Administrators group. Except where noted in the specific key, the registry change takes effect within one minute of being made.
Note
Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
CheckCRL (DWord)
By default (when CheckCRL is set to false), if a certificate revocation list (CRL) distribution point in a sender's certificate chain is inaccessible during revocation verification when sending signed or encrypted e-mail messages, Outlook Web Access displays a warning dialog box that the certificate cannot be verified but allows the e-mail message to be sent.
When this key is set to true, Outlook Web Access displays a warning dialog box that the certificate cannot be verified and prevents the e-mail message from being sent.
Default = 0 (False)
Other = 1 (True)
DLExpansionTimeout (DWord)
The DLExpansionTimeout value controls the time-out period, in milliseconds, for expanding an Active Directory® directory service distribution list when sending encrypted e-mail messages.
When a user sends encrypted e-mail messages to a distribution list, Outlook Web Access must expand the membership of the distribution list to retrieve the encryption certificate of each individual recipient for use in the encryption operation. The time this operation requires varies depending on the size of the distribution list and the performance of the underlying Active Directory infrastructure. While the distribution list is being expanded, the sender receives no response from Outlook Web Access. This time-out value specifies how long Outlook Web Access will wait for the full distribution list to be expanded. If the operation is not completed in the time specified by this value, the operation fails and the e-mail message is not sent. This time-out value is applied on a per-distribution list basis. If an e-mail message is sent to multiple distribution lists, this time-out value applies sequentially to each distribution list. For example, if an e-mail message is sent to three distribution lists and there is a time-out value of 60 seconds for each distribution list, the entire operation can take no more than 180 seconds.
This setting also interacts with the global and per-user Recipient Limits, which are discussed later in this topic. Where the DLExpansionTimeout value provides a per-distribution list limit, the Recipient Limits settings provide a limit to the total number of recipients whose encryption certificates Outlook Web Access will retrieve from Active Directory for each e-mail message.
Using the previous example, if the global Recipient Limit is 500 recipients, each distribution list will be expanded in sequence. If any individual distribution list expansion exceeds the time-out, the operation fails. In addition, if the total number of recipients for all distribution lists exceed the Recipient Limits, the operation fails and the e-mail messages will not be sent.
Default: 60000 (60 seconds)
Minimum: 0 (disables sending encrypted e-mail messages to distribution lists)
Maximum: 2147483647 (no time-out, Outlook Web Access will wait until the distribution list is expanded no matter how long this takes)
CertMatchingDoNotUseProxies (DWord)
Outlook Web Access attempts to find the correct certificate in Active Directory for a recipient when sending encrypted e-mail messages. The certificate subject or subject alternative name values can each contain a Simple Mail Transfer Protocol (SMTP) address as one of its values. Because a recipient can have multiple SMTP proxy addresses in the directory, the certificate's subject or subject alternative name may not match the primary SMTP address; instead it may match one of the proxy addresses. When you set the CertMatchingDoNotUseProxies key to true, if the certificate subject or subject alternative name values do not match the primary SMTP address, Outlook Web Access will not try to match the certificate's subject to the SMTP proxy addresses.
Default = False (0)
Other = True (1)
RevocationURLRetrievalTimeout (DWord)
The RevocationURLRetrievalTimeout key specifies the time, in milliseconds, that Outlook Web Access will wait when connecting to retrieve a single CRL as part of a certificate validation operation.
Validating a certificate requires retrieving the CRL of the certification authority (CA) from the CRL distribution point that is specified within the certificate. This operation must be performed for each certificate in the complete certificate chain.
This key specifies how long Outlook Web Access should wait when connecting to retrieve a single CRL. When multiple CRLs must be retrieved, this key applies individually to each connection. For example, if three CRLs must be retrieved and the time-out value is set to 60 seconds, each CRL retrieval operation will have a time-out value of 60 seconds. If the CRL is not retrieved before the time-out value specified, the operation fails.
Default: 60000 (60 seconds)
Minimum: 5000 (5 seconds)
Maximum: 600000 (10 minutes)
CertURLRetrievalTimeout (DWord)
The CertURLRetrievalTimeout key is similar to RevocationURLRetrievalTimeout but specifies the time, in milliseconds, that Outlook Web Access will wait when connecting to retrieve all CRLs when validating a certificate. If all CRLs are not retrieved before the time-out value specified, the operation fails.
In setting this value, it is important that in a certificate validation operation, RevocationURLRetrievalTimeout is applied to each individual CRL retrieval, and CertURLRetrievalTimeout is applied to the overall operation of all CRL retrievals. For example, if three CRLs must be retrieved and RevocationURLRetrievalTimeout is set to 60 seconds, and CertURLRetrievalTimeout is set to 120 seconds, each individual CRL retrieval operation has a time-out value of 60 seconds and the overall operation has a time-out value of 120 seconds. In this example, if any individual CRL retrieval takes more than 60 seconds, the operation fails. Also, if all of the CRL retrievals take more than 120 seconds, the operation fails.
Default: 60000 (60 seconds)
Minimum: 0
Maximum: 600000 (10 minutes)
DisableCRLCheck (DWord)
When DisableCRLCheck is set to true, this key disables checking CRLs when validating certificates. Disabling CRL checking can increase the response time of validating signatures of signed e-mail messages, but it also shows revoked e-mail messages signed with revoked certificates as valid rather than invalid.
Default = 0 (False)
Other = 1 (True)
AlwaysSign (DWord)
When AlwaysSign is set to true, this key forces users to sign e-mail messages when using Outlook Web Access with the S/MIME control. Also, the E-mail Security section of the Options page displays the Add a digital signature to outgoing messages option as selected.
Default = 0 (False)
Other = 1 (True)
AlwaysEncrypt (DWord)
When AlwaysEncrypt is set to true, this key forces users to encrypt e-mail messages when using Outlook Web Access with the S/MIME control. Also, the E-mail Security section of the Options page displays the Encrypt contents and attachments for outgoing messages option as selected.
Default = 0 (False)
Other = 1 (True)
ClearSign (DWord)
When ClearSign is set to true, this key forces any signed e-mail message sent by Outlook Web Access to be clear signed. The default setting for this key is true. Setting this value to false causes Outlook Web Access to use an opaque signature. The advantage of clear-signed e-mail messages is that they can be opened and read with most e-mail clients, including clients that do not support S/MIME.
Default = 1 (True)
Other = 0 (False)
SecurityFlags (DWord)
The SecurityFlags key is a bitmask used to enable or disable features of Outlook Web Access S/MIME. Setting the key to the value for a specific feature enables each feature. To enable more than one feature, add together the values for each feature you want to enable and enter the sum in the key. For example, to have Outlook Web Access with the S/MIME control include the certificate chain without the root certificate (0x001) and only include the signing certificate (0x008), add the two values together (0x001 + 0x008) and enter the sum (0x009). The following table lists the values you can set on the SecurityFlags key.
By default, all these features are disabled.
SecurityFlags values and descriptions
| Value | Description |
|---|---|
0x001 |
Include certificate chain without root certificate. The default behavior of Outlook Web Access is to include only the signing and encrypting certificates, not their corresponding certificate chains, when sending signed or encrypted e-mail messages. This option may be necessary for interoperating with other clients, in environments where intermediate certification authorities (CAs) cannot be reached by using the authority information access attribute, or by having the intermediate CA trusted in the Computer account of the Exchange back-end server. This setting includes the full certificate chain except for the root certificate. This setting increases the signed and encrypted message size. |
0x002 |
Include certificate chain and root certificate. This setting is similar to the Include certificate chain without root certificate setting, but also includes the root certificate in addition to the full certificate chain. Some e-mail clients require the full certificate chain and root certificate to be able to validate certificates correctly. This setting increases the signed and encrypted message size more than the SecurityFlags setting. |
0x004 |
Do not encrypt temporary buffers. By default, all client-side temporary buffers used to store message data are encrypted using an ephemeral key and the 3DES algorithm. This setting disables that feature. Disabling encryption of the buffers can increase performance of the Outlook Web Access client but also leaves information unencrypted in the local system's buffer. Consult your security policy before disabling this feature. |
0x008 |
Only include signing certificate with signed e-mail. By default, Outlook Web Access with the S/MIME control includes both signing and encrypting certificates with signed e-mail messages. When you enable this setting, the size of messages sent from Outlook Web Access with the S/MIME control decreases. However, recipients do not have access to the sender's encryption certificate in the received message and have to obtain that certificate in another way either by retrieving it from a directory (which is the preferred method where possible) or obtaining it from the sender. |
0x040 |
Separate single messages for visible recipients and invisible recipients. By default, Outlook Web Access with the S/MIME control submits a single encrypted message for all visible recipients (those on the To and Cc lines) and a separate encrypted message for each invisible recipient (those on the Bcc line). This method allows each message sent to an invisible recipient to be handled separately from the message sent to visible recipients or other invisible recipients. For example, if a message was sent to one recipient on the To line, two recipients on the Cc line and three recipients on the Bcc line, four separate messages would be submitted: one for all the recipients on the To and Cc line combined and one individually for each recipient on the Bcc line. By enabling this setting, one encrypted message is submitted for all visible recipients (those on the To and Cc lines) and another single, encrypted message for all invisible recipients (those on the Bcc line). This setting allows a message sent to invisible recipients to be handled separately from the message sent to visible recipients. In the example, with this setting enabled, two separate messages would be submitted: one for all the recipients on the To and Cc line and one for all the recipients on the Bcc line. This setting improves performance in comparison with the default setting, but it changes the security and privacy behavior of Outlook Web Access. Consult your organization's security policy before enabling this setting. |
0x080 |
Single encrypted message for all recipients. This value is similar to Separate single messages for visible recipients and invisible recipients. However, when this setting is enabled, Outlook Web Access submits a single encrypted message for all recipients of an encrypted message. Using the example from Separate single messages for visible recipients and invisible recipients, only one message would be submitted for all the recipients on the To, Cc, and Bcc lines. This setting improves performance in comparison with the default setting, but it changes the security and privacy behavior of Outlook Web Access. Consult your organization's security policy before enabling this setting. |
0x100 |
Include S/MIME capabilities in message. When this setting is enabled, when sending e-mail messages, Outlook Web Access adds attributes to signed and encrypted messages indicating which encryption and signing algorithms and key lengths are supported. Enabling this option increases the size of messages, but can make it easier for some e-mail clients to interoperate with Outlook Web Access. |
0x200 |
Copy recipient headers. When enabled, this option places a copy of the From, To, and Cc recipient headers in the signed portion of the message. Including this information allows the recipient to verify that these headers have not been tampered with while the message was in transit. Enabling this feature increases the message size. |
SmartCardOnly (DWord)
When SmartCardOnly is set to true, this key forces the use of smart card-based certificates for signing and decryption when using Outlook Web Access with the S/MIME control. Users cannot use certificates that are not on a smart card.
Default = 0 (False)
Other = 1 (True)
TripleWrap (DWord)
When the TripleWrap key is set to true, encrypted e-mail messages that are signed are triple wrapped. That is, the signed message is encrypted, and then the encrypted message is signed (Signed-Encrypted-Signed). When set to false, the signed message is encrypted only (there is no additional signing of the encrypted message). By default, this key is set to true. Triple-wrapped messages afford the highest level of security for signed and encrypted e-mail messages under the S/MIME standard but are larger in size.
Default = 1 (True)
Other = 0 (False)
EncryptionAlgorithms (Reg_SZ)
The EncryptionAlgorithms key holds a semicolon separated list that represents the symmetric encryption algorithms to use when encrypting messages using Outlook Web Access with the S/MIME control. In addition, the object identifier (also known as OID) of the cryptographic service provider (CSP), when using third-party CSPs, can be specified. When using a key that offers multiple key lengths, you must specify the key length. RC2 is the only key that Outlook Web Access provides that offers multiple key lengths.
By default, Outlook Web Access uses 3DES and RC2-128. If the encryption algorithm or minimum key length is not available on a given client, Outlook Web Access does not allow encryption. The following table describes the encryption algorithms, their algorithm IDs, and the supported key lengths for each.
- Format: {Algorithm ID}[:key length to use]|[,OID of cryptographic service provider that supports Algorithm ID]; {Algorithm ID}[:key length to use]|[,OID of cryptographic service provider that supports Algorithm ID]
Algorithms, algorithm IDs, and key lengths
| Algorithm | Algorithm ID | Key lengths |
|---|---|---|
RC2 |
6602 |
40, 56, 64, 128 |
DES |
6601 |
56 (fixed key length) |
3DES |
6603 |
168 (fixed key length) |
Each desired key length requires a separate entry. For example, to support 40-bit RC2, and 56-bit RC2, the EncryptionAlgorithms value will be: 6602:56;6602:40.
The values of the registry key should be listed from the longest key length to the shortest because the order reflects priority of use. For example, to list 3DES, RC2-128, RC2-64, DES, RC2-56, and RC2-40, type the value in the following way:
6603;6602:128;6602:64;6601;6602:56;6602:40
- Defaults: 6603 (3DES); 6602:128 (RC2-128)
DefaultSigningAlgorithm (Reg_SZ)
The DefaultSigningAlgorithm key specifies the signing algorithms to use when signing messages using Outlook Web Access with the S/MIME control. The following table describes the encryption algorithms, their algorithm IDs, and the supported key lengths for each.
- Format: {Algorithm ID}
Algorithms, algorithm IDs, and key lengths
| Algorithm | Algorithm ID | Key lengths |
|---|---|---|
SHA-1 |
8004 |
160 (fixed key length) |
MD5 |
8003 |
128 (fixed key length) |
- Default: 8004 (SHA-1)
UseKeyIdentifier (DWord)
By default, when encrypting e-mail messages, Outlook Web Access encodes the asymmetrically encrypted token (sometimes called a lockbox) that is necessary to decrypt the rest of the message by indicating the issuer and serial number of each recipient's certificate. The issuer and serial number can then be used to locate the certificate and private key for decrypting the message.
An alternative way to locate the certificate and private key for decrypting the message is to use a certificate's key identifier when encoding the asymmetrically encrypted token. Because a key pair can be reused in new certificates, using the key identifier for encrypted e-mail messages provides a benefit because users need to keep only the most recent certificate and associated private key, rather than all old certificates, which can be matched only by issuer and serial number.
Because some e-mail clients do not support finding certificates with a key identifier, Outlook Web Access by default uses the issuer and serial number of each recipient's certificate. However, enabling the UseKeyIdentifier key can make it easier to manage encrypted messages by eliminating the need for users to keep old, expired certificates on their system.
Default = 0 (False)
Other = 1 (True)
Active Directory-Based Settings
This section contains information about Active Directory-based settings that can be used to configure the behavior of Outlook Web Access clients using the Secure/Multipurpose Internet Mail Extensions (S/MIME) control.
Recipient Limits
Recipient Limits are stored in Active Directory and limit the number of recipients whose encryption certificates Outlook Web Access will retrieve from Active Directory for each e-mail message sent. These settings interact with the DLExpansionTimeout registry key. For more information about the DLExpansionTimeout registry key, see "DLExpansionTimeout (DWord)" earlier in this topic.
Recipient Limits are set both on the global organization and on a per-user basis. The per-user setting has precedence and will override the global setting. For detailed steps, see