Hello, I hope this is the right forum for posting this message. Ijust finished deployin in my organization an AD CS (Active Directory Certificate Services) in order to create S/MIME certificate for all users to allow them to Sign and Encrypt emails. I'm using Windows 2008 Enterprise Edition, and Exchange 2007.All users have Outlook 2007 on their workstations. I duplicate the User Certificate Template and configured Autoenrollment for users and the appropriate GPO as well - and users are getting their certificate correctly. I do have other questions: 1. User template includes more than just digitally sign and encrypt emails (EFS for example), are there any other template that I can duplicate that does only signing and encryption of emails? 2. after each user got his new certificate, I still need to go the outlook of each user in order to configure in under the Option -> Trust Center and mark "Digitally sign" and "Encrypt" all outgoing emails. is there a way to do it by Script or GPO (ADM)? 3. Under the outlook trust center settings, there is an options to "Publish To Gal", although I'm performing Autoenrollment, and each user got his certificate in the Active Directory, I still can't send a new encrypted email to someone before he is sending me a digitally signed email and I'm replying to it. is there another way to do it? or perform the "Publish to gal" by a script? Best Regards, Ploni.

Hi Ploni, 1) The User certificate template is definitely not the best choice for email encryption and signing. First of all, I recommend using separate email and signing certificates. If you combine them (and archive the encryption certificate), then it is possible to recover a signing certificate (allowing impersonation). I would recommend duplicating the following certificate templates: Signing = Exchange Signature Only Encryption = Exchange User For each, enable autoenrollment for your target global or universal group. Ensure that you only have enabled E-mail name as a SAN. 2) The user will have to go into trust center once and once only. Outlook will automatically choose the correct certificates fro signing and encryption (as long as you use my recommendations above and only issue one certificate of each type to each user. Also ensure that no other certificates, like User or a copy of user, are deployed. Otherwise, they need to carefully choose the correct certificates. 3) There is no need to publish to gal as long as you enabled the Publish certificate in Active Directory option in the encrytion certificate. Investigate the user's userCertificate attribute. This is the attribute that contains the user's certificate. The Publish To Gal button is a throwback to Exchange 5.x when user smime certificates (if X.509v3) were signed in a PKCS#7 envelope and published to the UserSMIMEcertificate attribute (to prove that they had an X.509v3 not an X.509 v1 certificate issued by KMS). Brian

Hi Brian, In regards to your answer to #3 - In my experience, even if I've selected "Publish Certificate in Active Directory" in the template and have had users autoenroll against that template, when I check their AD profiles, I see that neither "userCertificate" nor "userSMIMECertificate" exists. If I have the user manually select their cert in Outlook and click "Publish to GAL", then the "userSMIMECertificate" attribute appears in their profile and is populated with the cert thumbprint. "userCertificate" remains unpopulated. Does that sound strange? In my environment, we have Exchange 2003 and Win2K3 domain controllers.

On Mon, 26 Jul 2010 19:25:08 +0000, Mike Bruno wrote: Hi Brian, ? In regards to your answer to #3 - In my experience, even if I've selected "Publish Certificate in Active Directory" in the template and have had users autoenroll against that template, when I check their AD profiles, I see that neither "userCertificate" nor "userSMIMECertificate" exists. ?If I have the user manually select their cert in Outlook and click "Publish to GAL", then the "userSMIMECertificate" attribute appears in their profile and is populated with the cert thumbprint. ?"userCertificate" remains unpopulated. ?Does that sound strange? In my environment, we have Exchange 2003 and Win2K3 domain controllers. You need to look at the event log on your CA(s) and check for errors regarding publishing to AD. The CA should definitely be able to publish to AD. Can you describe your AD infrastructure and PKI deployment a little bit? Are you CA(s) members of the Cert Publishers group in the domain that contains your user accounts? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Paul, Thanks, I think I answered my own question yesterday. The CA was not in the cert publishers group in the domain where the user accounts live. Once the EA takes care of that for me, I think I'll be in good shape. Luckily, we haven't enrolled many users yet. This is an easy one that I should have caught :(

Hello Brian, I am working on Outlook S/MIME test too. May I have some questions to you? I duplicated "exchange user" template for email encryption and "exchange signature only" for email signing. Are these two templates available for manual enrollment? Like MMC snap-in and web enrollment. Why I asked it is because I didn't see them in either "Computer Certificate" or "User Certificate" choice list. Is there any method to manually enroll them? And how? Thank you Jian Wang