Outlook Security Profile Configuration

This section describes Outlook security profile management through the ActivClient Outlook Usability enhancements settings:

Outlook Security Profile Settings

Note:

The following procedure is illustrated using Microsoft Outlook 2016. The steps and interface might vary with newer versions of Microsoft Outlook. Refer to the Microsoft documentation for further information.

To view the security settings for Outlook 2016:
Go to File >> Options >> Outlook Options window opens >> open Trust Center >> select Trust Center Settings

In the left pane, click Email Security.
In the Encrypted e-mail section, click Settings....

The Change Security Settings window is displayed.

The Outlook security profile created by ActivClient defines the:

Security settings name
Cryptography format
Signing certificate
Hash algorithm
Encryption certificate
Encryption algorithm

Other parameters can be defined using Microsoft policies (for example, Add digital signature to outgoing messages).

These settings are configured automatically at smart card insertion depending on the smart card inserted and ActivClient Microsoft Outlook Usability Enhancements settings and environment conditions as described in following section.

Outlook Security Profile Update

Profile Selection and Conditions for Security Profile Update

When Turn off setup email certificates in Microsoft Outlook on card insertion is not configured or disabled (default setting), ActivClient updates the profile at card insertion if the following conditions are met:

Certificate propagation is enabled (Microsoft certificate propagation).
A default Microsoft Outlook profile is defined, and an Exchange account is set for this profile (for example POP accounts are ignored).).
A signature certificate on the smart card inserted meets the conditions listed below. If several certificates meet the conditions, the most recent one (Valid From date) is selected:
Validity – current date being between ‘Valid From’ and ‘Valid To’.
Key usage – the certificate key usage must contain the value 'Digital Signature'.
· The Intended Key Usage includes CERT_KEY_DIGITAL_SIGNATURE_USAGE for the signature certificate or this is the CAC Signature Certificate or the PIV Digital Signature Key.

An encryption certificate on the smart card inserted meets the conditions listed below. If several certificates meet the conditions, the most recent one (Valid From date) is selected:
Validity – current date being between ‘Valid From’ and ‘Valid To’.
Key usage – the certificate key usage must contain the value 'Key Encipherment' or 'Data Encipherment'.
The Intended Key Usage includes CERT_KEY_ENCIPHERMENT_KEY_USAGE for the encryption certificate or this is the CAC Encryption Certificate or the PIV Key Management Key.
The Intended Key Usage includes CERT_KEY_ENCIPHERMENT_KEY_USAGE for the encryption certificate or this is the CAC Encryption Certificate or the PIV Key Management Key.

Depending on configuration settings, additional checks are performed on the two selected certificates:

Email address should be the same as the one configured in the Microsoft Exchange account (this check can be disabled using the setting Allow different email addresses in smart card certificate and Exchange account). The email address is retrieved from the certificate RFC822 Subject alternate name attribute or, if missing, in the E= of the subject and is checked against the Active Directory if online. If not, this check is by passed even if the setting is enabled.
If this setting is set to No, the name check is performed:

If this setting is configured to Yes, the name check is performed:
If the email addresses match, ActivClient updates the Outlook profile/publishes to GAL.
If they do not match, then ActivClient continues to check if Outlook/the GAL needs to be updated.
If this setting is configured to Yes, the name check is performed:
- If the email addresses match, ActivClient updates the Outlook profile/publishes to GAL.
- If they do not match, then ActivClient continues to check if Outlook/the GAL needs to be updated.
  
  – If no update is needed (that is, the card certificates are already used to configure Outlook/publish to the GAL), then no action is performed.
  
  – If an update is needed, then ActivClient prompts the user by presenting the email addresses configured in Microsoft Exchange and the email address used in the smart card certificate. The user then makes an informed decision on whether to proceed with updating the Outlook profile/publishing to GAL.

This last configuration is only applicable to customers who configure Microsoft Outlook with SuppressNameChecks (http://support.microsoft.com/kb/276597).

CRL check (if the setting is enabled):
If CRL check is enabled and enforced, and if CRL check is not OK (certificate is revoked or on hold, or CRL times out), the certificate is ignored and the operation (automatically configure email certificates in Microsoft Outlook and/or automatically publish certificates to the GAL) is not performed.
If CRL check is enabled and not enforced, and if CRL check is not OK certificate is revoked or on hold, or CRL times out), the certificate is accepted and the operation (automatically configure email certificates in Microsoft Outlook and/or automatically publish certificates to the GAL) is performed but the certificate is marked as not CRL valid and an event warning is added in the Microsoft Windows event log.
If CRL check is enabled (and enforced or non-enforced) and if CRL check is OK, the certificate is marked as CRL valid.
If CRL check is disabled, the operation (automatically configure email certificates in Outlook and/or automatically publish certificates to the GAL) is performed regardless of the CRL check status.

Note:

The CRL check timeout is also configurable.
The whole certificate chain is checked.
For performance reasons, the CRL check is performed only if the security profile needs to be updated (that is, after comparing with the current configuration).
If an OCSP provider is installed and configured on the Windows client, ActivClient will check the certificate status with OCSP instead of CRL.

The description above applies if the workstation is connected to the corporate network (Active Directory is accessible). If it is not and the Active Directory is not accessible, then the automatic configuration is still performed but with two differences:

No user account check is performed.
No CRL check is performed (whatever the configuration for the CRL check).

Once the conditions above are met, the security profile and the encryption/signature options are always updated:

If a security profile named ActivClient Certificates already exists, it is overwritten. The default profile setting is unchanged if it was:
The default profile, it remains the default profile.
· Not the default profile; it is not set as the default profile.
If no security profile named ActivClient Certificates exists, the profile is created and set as default.

All other security profiles (not named ActivClient Certificates) are not altered.

The profile creation or update is executed whether Microsoft Outlook is running or not, yet Microsoft Outlook needs to be restarted to see the updates in effect.

The Outlook security profile may be updated if new policies are configured (for example, changing the hashing algorithm from SHA-1 to SHA-256), even if certificates are not updated.

Note:

The created profile might be altered if the ActivClient setting Remove certificate from Microsoft Windows on smart card removal is enabled or if the user certificates are deleted from the Internet Explorer (CAPI) store.

In this case, the user needs to insert the smart card prior to sending signed emails in order to restore the security profile; otherwise, no 'insert smart card' window will be displayed when sending a signed email.

Security Profile Updated Values

The values updated by the ActivClient configuration are retrieved either from the smart card (certificates) or from the configured policies (ActivClient policies or Microsoft policies).

The following table lists the configured value for each setting when the profile is created or updated.

Setting	Value
Security settings name Default Setting field	ActivClient Certificates (always – not configurable)
Encrypt contents and attachment for outgoing message	Same value as configured in Microsoft Outlook Cryptography Options Encrypt all e-mail messages.
Add digital signature to outgoing message	Same value as configured in Microsoft Outlook Cryptography Options Sign all e-mail messages.
Send clear text signed message when sending signed message	Same value as configured in Microsoft Outlook Cryptography Options Send all signed messages as clear signed messages.
Request S/MIME receipt for all S/MIME signed message	Same value as configured in Microsoft Outlook Cryptography Options Request an S/MIME receipt for all S/MIME signed messages.
Cryptography format	S/MIME (always – not configurable through ActivClient)
‘Default security settings for this cryptographic message format’ check box	Checked (always – not configurable through ActivClient)
‘Default security settings for all cryptographic message messages’ check box	Checked (always – not configurable through ActivClient)
Signing certificate selected	The selected certificate is the most recent certificate (the most recent Valid From date) on the smart card that meets the following conditions: Validity – current date being between Valid From and Valid To date. User account – If workstation is online, the certificate email address corresponds to the email address configured for the Microsoft Exchange account. The comparison is performed by retrieving the email address in the certificate from the subjectaltName attribute, or if missing, from the 'E=' value in the subject attribute. On the Microsoft Exchange side, the comparison is performed by checking all email addresses defined in the Microsoft Exchange account (prefixed by 'SMTP:' or 'smtp:'). This allows supporting email aliases. If workstation is offline, no email address is checked. Key usage: the certificate key usage must contain the value Digital Signature. The certificate is valid. The certificate status is verified via CRL checking, only if workstation is online. This CRL check can be configured through an ActivClient policy.
Signing certificate displayed name	Certificate friendly name.
Hash algorithm	Same value as configured in ActivClient Outlook Enhancements setting Hash algorithm configured in Security Profile on card insertion. The selected algorithm cannot be updated in the Microsoft Outlook profile. It can only be updated through GPO settings. Default is SHA-256.
Encryption certificate selected	The selected certificate is the most recent certificate (the most recent Valid From date) on the smart card that meets the following conditions: Validity – current date being between Valid From and Valid To date. User account – If workstation is online, the certificate email address corresponds to the email address configured for the Microsoft Exchange account. The comparison is performed by retrieving the email address in the certificate from the subjectaltName attribute, or if missing, from the 'E=' value in the subject attribute. On the Microsoft Exchange side, the comparison is performed by checking all email addresses defined in the Microsoft Exchange account (prefixed by 'SMTP:' or 'smtp:'). This allows supporting email aliases. If workstation is offline, no email address is checked. Key usage – the certificate key usage must contain the value Key Encipherment. The certificate is valid. The certificate status is verified via CRL checking, only if workstation is online. This CRL check can be configured through an ActivClient policy.
Encryption certificate displayed name	Certificate friendly name.
Encryption algorithm	Same value as configured in the ActivClient Outlook Enhancements setting Encryption algorithm configured in Security Profile on card insertion. The selected algorithm cannot be updated in the Microsoft Outlook profile. It can only be updated through GPO settings. Default AES-256.
‘Send these certificates with signed message’ check box	Checked (always – not configurable)

For further information about the Microsoft policies that control these settings, see section Microsoft Policies Relevant to ActivID ActivClient.

Publish Certificate to GAL

The ActivClient Publish Certificate to GAL feature consists of publishing the user's encryption certificate used for secure e-mail to the user's object in the Active Directory. This allows other Microsoft Exchange users using Microsoft Outlook or Outlook Web Access to automatically access the encryption certificate to send the user encrypted emails.

The feature is the equivalent of the Publish to GAL option that can be found in the Trust Center (Outlook 2007).

Note:

In full Microsoft environments (that is, using Windows-based CA), the Active Directory attributes are automatically updated when the certificates are created.

In this case, the ActivClient Publish to GAL and the Outlook Publish to GAL features are not necessary. On the contrary, they could lead to mismatched certificates. This is why the ActivClient Publish to GAL feature is disabled by default.

Profile Selection and Email Account

The email account selection is the same as for the security profile update: applicable to Exchange accounts (that is, not applicable for Outlook accounts configured for a third-party server or using a POP3 configuration).

Configuration

The setting Turn on automatic publication of certificates to the Global Address List is applicable only if the setting Turn off setup email certificates in Outlook on card insertion is not configured or disabled (the setting is disabled by default).

Workflow

On card insertion, the certificate publication to the GAL is executed after the Microsoft Outlook security profile automatic update:

If the smart card content is appropriate, the Microsoft Outlook security profile is updated (see Security Profile Updated Values), then, if the Publish to GAL feature is enabled, ActivClient publishes the user's encryption certificate that has been set in the Outlook security profile to the GAL by updating the certificate in the following locations:

The userSMIMECertificate attribute of the user's object in Active Directory (certificate in PKCS #7 format):
This attribute (defined in RFC 2798) contains the user’s S/MIME configuration; it is multi-valued and includes the user’s encryption certificate and the user’s signature certificate (all certificate chains).
ActivClient Publish to GAL will erase the content of this attribute and publish the user’s encryption and signature certificates.
ActivClient Publish to GAL has the same result as the native Outlook Publish to GAL feature.

The userCertificate attribute of the user's object in Active Directory (certificate in DER encoded format):
This attribute is multi-valued. It may contain all user certificates (signature, encryption, logon, EFS, etc) if certificates are issued by Microsoft CA.
The native Outlook Publish to GAL feature adds the encryption certificate without deleting earlier values – which might lead to multiple encryption certificates, and to issues in some configurations.
· ActivClient Publish to GAL will erase the content of this attribute and publish the user’s encryption certificate. This behavior, different from the native Outlook behavior, guarantees that the Active Directory configuration is the same as the local configuration, therefore ensuring email exchanges with the latest configuration.

Once the certificate is published, any other online Exchange user (accessing the GAL) can send an encrypted email without having configured the contact information to set the encryption certificate prior to sending the email.

If the user cancels the PIN code prompt (that might display for the userSMIMECertificate attribute), no certificates are published to GAL – neither in the userSMIMECertificate attribute, nor the userCertificate attribute.

If errors occur during the Publish to GAL, they are reported in the Windows Event Viewer of the user workstation – no error message is displayed to the user.

For further information, see Audit.

Note:

In order to limit the write operations to the directory, ActivClient first reads the attributes to check if an update is needed (that is, it verifies that the certificate(s) is the same as the one(s) configured in the local Outlook security profile).
The smart card is used to sign the certificates in a PKCS#7 format (for the userSMIMECertificate attribute).
Depending on the PIN caching policy, the user might see a PIN prompt when the certificate is published to Active Directory. This happens only if there is a certificate change; it does not happen if the certificates published in Active Directory do not need to be updated.
If you enable the ActivClient feature, Publish to GAL, then you might want to disable the Outlook Publish to GAL feature. This will avoid conflicting updates of Active Directory for the userCertificate attribute. You can do so using an Outlook policy; refer to the Microsoft documentation for details.

Environment Considerations

Users must have permission to update their Active Directory object. This implies that:
Cases where the email account is configured for a different user name than that of the Windows account user are not supported.
If the user is not authenticated to Active Directory, the Publish to GAL will fail.

If the Exchange server is configured in cached mode, there might be a delay up to 24 hours before OWA users can access the updated GAL.

Interactive Process

In addition to the Publish to GAL operations described above (performed in the background on card insertion), an option is available in the ActivClient User Console (in the Tools, Advanced menu) that provides a similar feature which:

Performs both the Microsoft Outlook profile configuration and the Publish to GAL as described above (whether these features are enabled or disabled in the ActivClient configuration).
Displays success or errors via dialog boxes (in addition to the Event Viewer).
If necessary, it prompts the user to authenticate to the Active Directory.
The CRL checks follow the same configuration options as used in the automatic mode.

Audit

ActivClient enables the auditing of the two operations described earlier – Outlook security profile configuration and Publish certificate to GAL.

ActivClient audits the successes and failures of these operations and logs them in the Windows Event Viewer.

To be notified of unexpected events, it is recommended that you filter the audited information using the Event Viewer filters.

By default, the ActivClient auditing function is enabled. To disable the option, see Disable audit for Microsoft Outlook security profile creation and Publish to GAL.

The ActivClient events are formatted following Microsoft logging guidelines and are:

Logged in the HID Global section of the Applications and Services Logs of the Windows Event Viewer.
Labeled with ActivClient as the Source.

Each event contains the following elements:

Event Type
Information
Warning
Error

Event ID

For the complete list of ID codes, see the below table of Audited Event ID codes List.

Event Description:

Specifies the username and domain; and reason of failure when applicable.

Note: You can also audit changes performed directly in Active Directory (changes performed during the Publish to GAL operation).

To do so, on the domain controller, go to the Default Domain Controller Security Settings, Security Settings, Local Policies, Audit Policy, and enable Audit directory service access.

Then, for each user, specify the attributes that should be audited: open the Advanced Security Settings for the user, Auditing tab, and select Write userSMIMECertificate and Write userCertificate.

For further information, refer to the Microsoft documentation.

Audited Event ID codes List:

Event ID	Event Type	Category	Description
257	Information	Outlook Profile Update	Outlook security profile updated
258	Information	Publish to GAL	Publish to GAL completed
513	Warning	Outlook Profile Update	No applicable update
514	Warning	Publish to GAL	No applicable update
515	Warning	Outlook Profile Update	CRL check failed for signing certificate for the following reason: Revoked, Offline, or Other
516	Warning	Outlook Profile Update	CRL check failed for encryption certificate for the following reason: Revoked, Offline, or Other
517	Warning	Publish to GAL	CRL check failed for signing certificate for the following reason: Revoked, Offline, or Other
518	Warning	Publish to GAL	CRL check failed for encryption certificate for the following reason: Revoked, Offline, or Other
519	Warning	Outlook Profile Update	Impossible to reach Active Directory
520	Warning	Publish to GAL	Impossible to reach Active Directory
521	Warning	Publish to GAL	Your certificates were not published to the Global Address List.To publish successfully, start the Publish to GAL operation again, and enter the PIN when prompted to do so.
769	Error	Outlook Profile Update	No Exchange account
770	Error	Outlook Profile Update	No valid certificate found
771	Error	Outlook Profile Update	No valid email address in signing certificate
772	Error	Outlook Profile Update	No valid email address in encryption certificate
773	Error	Publish to GAL	Access Denied
774	Error	Outlook Profile Update	CRL check failed for signing certificate for the following reason: Revoked, Offline, or Other
775	Error	Outlook Profile Update	CRL check failed for encryption certificate for the following reason: Revoked, Offline, or Other
776	Error	Publish to GAL	CRL check failed for signing certificate for the following reason: Revoked, Offline, or Other
777	Error	Publish to GAL	CRL check failed for encryption certificate for the following reason: Revoked, Offline, or Other
778	Error	Publish to GAL	Your certificates were not published to the Global Address List. MAPI error code CAPI error code