Outlook Clients (MAPI-Based)

  • Article

 

Microsoft Outlook provides support for S/MIME version 3 beginning with Outlook 2000 Service Release 1 (SR-1). Outlook 2000 SR-1 or later can be used to provide full S/MIME functionality in an Exchange 2003-based message security system.

Outlook provides full capabilities to integrate with any S/MIME version 3 PKI, including public PKI networks. Outlook provides all S/MIME-based message security services, including digital signatures and encryption.

Because Outlook provides S/MIME capabilities over the same connectivity as non-S/MIME e-mail messages, no special configuration is required to enable S/MIME connectivity between Outlook and Exchange.

Because Exchange supports standards-based S/MIME, the steps to enable S/MIME in Outlook for Exchange are the same as for any e-mail system. By integrating the Outlook client with PKI and ensuring connectivity to the Exchange server, you automatically enable support for S/MIME in Exchange 2003.

If you do not want to implement a PKI, you can use Outlook for public PKI networks to enable S/MIME. For a list of public PKI providers for use with Outlook, see "Where to Get Your Digital ID" and "Digital ID." For more information about integrating with public PKI networks, see Outlook online Help and the Office Resource Kit.

One consideration for integrating Outlook with Exchange is the offline address book that provides address information to Outlook users when Active Directory® is unavailable. When performing an S/MIME operation that requires another user's digital certificate, Outlook looks in Active Directory to retrieve those certificates. When Active Directory is not available, Outlook looks in the offline address book for this information. By default, the offline address book is configured to automatically include all digital certificates that the user would have access to if Active Directory could be contacted. The offline address book includes all digital certificates that can be used for e-mail messages. The offline address book also removes certificates that are expired, invalid, or cannot be used for S/MIME, such as those used for Encrypting File System (EFS). The offline address book provides the same S/MIME capabilities that Active Directory provides.

When you deploy Outlook with a PKI, your PKI administrator may request that you make changes in your Outlook deployment to accommodate requirements for PKI. For example, these changes may include configuring Outlook to always sign and always encrypt e-mail messages.

In addition to customizing Outlook, your PKI administrator may request that you disable features related to requesting, handling, and publishing digital certificates. These features are enabled in Outlook by default. However, in some PKI environments, these features may bypass the established processes for handling digital certificates. Disabling these features can prevent problems. Specifically, you may be asked to disable the Publish to GAL option to prevent users from inappropriately publishing digital certificates to the directory. You may also be asked to customize the destination page that appears when users click the Get Digital ID button to a destination page appropriate for your organization.

For information about how to customize these settings through policies, see "Setting Consistent Outlook Cryptography Options for an Organization" in the Microsoft Office 2003 Editions Resource Kit. For information about customizing earlier versions of Outlook, see previous versions of the Office Resource Kit.

If you are using or evaluating Individual Rights Management (IRM) in Outlook 2003, consider that IRM is independent of S/MIME and provides different capabilities. IRM can be used with or without S/MIME. For more information about IRM in Office 2003, see "Information Rights Management in Microsoft Office 2003."

Except for offline address book considerations, to integrate with Exchange 2003 for S/MIME, Outlook administrators do not need to take any specific actions beyond those to integrate Outlook with PKI. Outlook can integrate with either public or private PKIs.