Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Smartcard-based Certificates are deleted from the local Certificate store when logging on to OWA

Smartcard-based Certificates are deleted from the local Certificate store when logging on to OWA

View products that this article applies to.

Symptoms

When you log on to Outlook Web Access (OWA), you cannot digitally sign or encrypt e-mail messages using smartcard-based Certificates.

You also find that your smartcard-based certificates are deleted from the local Certificate Store.

↑ Back to the top

Cause

When the certificates have been removed, they are not available for any messaging client.

This issue can occur if the following conditions are true:

  • On the workstation used for the OWA session, the S/MIME control for Exchange Server 2003 is installed, either alone or in addition to the S/MIME control for Exchange Server 2007 Service Pack 1.
  •  Internet Explorer is not running in "Protected Mode" for the OWA web site�s Security zone.

Scenarios in which this is likely to happen are:

  • The Exchange mailbox is homed on an Exchange Server 2003 Back-End and accessed via an Exchange Server 2007 Client Access Server.
  • The user has been migrated to a mailbox on an Exchange Server 2007 Mailbox server and has not removed the S/MIME Control for Exchange Server 2003 Add/Remove Programs.

 

↑ Back to the top

Resolution

There are two possible resolutions:

  • Remove and re-insert the Smartcard into the card reader after logging onto OWA.

    Note:  This is the expected work flow.
  • Ensure that the OWA web site is listed in a Security zone that uses Protected Mode. This is available only for Internet Explorer 7 or higher running on Windows Vista or Windows 2008. 

To configure the Security zone for the OWA we site, use the following steps:

  1. In Internet Explorer, click Tools, click Internet Options and click Security.
  2. Click the Security zone that is required (your choices are Internet, Local Intranet, Trusted Sites and Restricted Sites.

    Note: Many controls of OWA will not function correctly in the Restricted Sites zone or if the Security level for the zone used is too high.
  3. Check the box for �Enable Protected Mode (requires restarting Internet Explorer), then click the Sites button.
  4. Add the OWA site to the list of sites by typing the URL, such as owa.contoso.com, and then click Add, then click Close.
  5. Click the Apply button, click OK and then restart Internet Explorer and connect to OWA.

    NOTE:  When running in "protected" mode, the Internet Explorer cannot automatically delete files from the local Certificates store.

↑ Back to the top

More information

  To verify whether certificates are present, use one of the following methods:

Use Internet Explorer

  1. In Internet Explorer, click Tools, click Internet Options, click the Content tab and click the Certificates button.
  2. Click the Personal tab and verify that your certificate is present.
    Note:  One of the intended purposes of the Certificate should be "Secure Email"

Use Windows

  1. Click Start, click Run and type the following command and click enter:

    %userprofile%\Application Data\Microsoft\SystemCertificates\My\Certificates
  2. Verify that a file containing the Thumbprint value of your certificate is present.

↑ Back to the top

Keywords: KB2000394

↑ Back to the top

Article Info
Article ID : 2000394
Revision : 8
Created on : 11/25/2009
Published on : 11/25/2009
Exists online : False
Views : 243