Supporting Outlook in Your PKI
Topic Last Modified: 2005-12-14
This topic discusses the following areas of concern for the PKI administrator:
Offline address book
- Publish to GAL button
- Get a Digital ID button
Other Outlook considerations
The offline address book is relevant to the PKI administrator because it replaces the Microsoft Active Directory® directory service when Outlook is used offline. The offline address book is responsible for making other user's digital certificates for e-mail available to users when they are working offline. By default, the offline address book includes all valid digital certificates for e-mail that the user would have access to if they were contacting Active Directory. The offline address book includes all digital certificates that can be used for e-mail and removes expired or invalid certificates. By default, the offline address book provides the same S/MIME capabilities that Active Directory provides. Because including certificates increases the size of the offline address book and can increase download times, some administrators may want to change the default behavior.
For more information about the offline address book and the e-mail client administrator, see Outlook Clients (MAPI-Based).
The Publish to GAL button can be found on the Security tab of the Options dialog box. When a user clicks this button, Outlook publishes the user's certificates that are used for secure e-mail from the Personal certificates folder in PKCS #7 format to the userSMIMECertificate attribute of the user's object in Active Directory. It also publishes the user's ExchangeUser certificates in DER Encoded format to the userCertificate attribute of the user's object in Active Directory.
This button is intended to enable users to publish certificates to the corporate directory that they may have obtained from other sources. This publishing can bypass the processes established for handling digital certificates in your organization. In addition, an administrator can add a certificate to the userCertificate attribute, using the Published Certificates tab in Active Directory Users and Computers, but not add the same certificate to the userSMIMECertificate attribute. Problems can develop with different certificates being used by different e-mail clients. For more information, see Different certificates used when using Outlook and Outlook Web Access with S/MIME control. You may want to request that the Outlook administrator disable this button. If you are using Windows-based CA for your PKI, it is recommended that you disable this button because of the possibility of mismatched certificates.
The Get a Digital ID button can be found on the Security tab of the Options dialog box. When the user clicks this button, the user goes to a Web page that can be used to request a digital certificate. PKI administrators who have made a Web-based enrollment form available should request that the Outlook administrator customize this button to direct the user to this customized page. The enrollment page URL can be specified in the following registry key on the user's system:
This key can be set using Group Policy through the Office Resource Kit or by changing the registry directly. For more information about setting this registry key, see "Setting Consistent Outlook Cryptography Options for an Organization" in the Office 2003 Resource Kit. For information about customizing previous versions of Outlook, see previous versions of the Office Resource Kit.
Outlook enables administrators to specify several PKI-related configuration settings through policies. For example, Outlook can be configured to always sign and encrypt e-mail messages.
For information about how to change and configure these features, consult the e-mail client administrator and see: