Outlook Web App and S/MIME

Applies to: Exchange Server 2010

Topic Last Modified: 2009-10-14

S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. With S/MIME, users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.


Supporting S/MIME

Requirements to Support S/MIME in Outlook Web App

Using S/MIME in Outlook Web App

Feature Additions and Limitations with S/MIME

For More Information

To support S/MIME in your Exchange organization, you must build a public key infrastructure (PKI).

A PKI is a system of digital certificates, certification authorities (CAs), and registration authorities (RAs) that verify and authenticate the validity of each party that is involved in an electronic transaction by using public key cryptography. When you implement a CA in an organization that uses Active Directory, you provide an infrastructure for certificate life-cycle management, renewal, trust management, and revocation. However, there is some additional cost involved in deploying servers and infrastructure to create and manage Microsoft Windows PKI-generated certificates.

Certificate Services is required to deploy a Windows PKI and can be installed through Add or Remove Programs in Control Panel. You can install Certificate Services on any server in the domain.

If you obtain certificates from a domain-joined Windows CA, you can use the CA to request or sign certificates to issue to the servers or computers on your network. This enables you to use a PKI that resembles a third-party certificate vendor, but is less expensive. Although these PKI certificates cannot be deployed publicly, as other types of certificates can be, when a PKI CA signs the requestor's certificate by using the private key, the requestor is verified. The public key of this CA is part of the certificate. A server that has this certificate in the trusted root certificate store can use that public key to decrypt the requestor's certificate and authenticate the requestor.

A PKI enables organizations to publish their own certificates. Clients can request and receive certificates from a PKI on the internal network. The PKI can renew or revoke certificates.

S/MIME requires that users sign in to Outlook Web App using Microsoft Internet Explorer 7 or Internet Explorer 8. In addition to requiring Internet Explorer 7 or Internet Explorer 8, S/MIME also requires that Secure Sockets Layer (SSL) be used by the /owa virtual directory. S/MIME is not supported in Outlook Web App Light.

Users must have a digital ID and must install the S/MIME control for Outlook Web App before they can send encrypted and digitally-signed messages using Outlook Web App. They must also have a digital ID and the S/MIME control to read encrypted messages in Outlook Web App. The S/MIME control is necessary to verify the signature on a digitally-signed message.

The S/MIME control for Outlook Web App is installed on a user’s computer by using the SMIME tab in Options. After the user has received a digital ID and the S/MIME control has been installed on their computer, they can use S/MIME to help secure e-mail mail messages.

When they use S/MIME, users gain additional features that are not otherwise available in Outlook Web App. These features include the ability to do the following:

  • Attach messages to messages
  • Paste images in messages
  • Attach files by using a simpler UI and let users attach multiple files in a single operation.
  • When they use S/MIME, users will encounter the following limitations:
  • WebReady Document Viewing only works in clear-signed messages. It does not work in encrypted messages or in opaque-signed messages.
  • When some content types are sent from Outlook as S/MIME messages, they cannot be displayed in Outlook Web App. Outlook Web App will display a banner in the message header when this happens.
  • Most S/MIME features are not available when a user opens a folder in another mailbox or uses explicit sign-in to open another user's mailbox. The only S/MIME feature that is available in those cases is verification of digital signatures.