Configuring and Using Microsoft Outlook Usability Enhancements

To view the security settings for Outlook 2021:

1. Go to File > Options.

2. In the Outlook Options window, select Trust Center from the menu.

3. Click Trust Center Settings.

   

4. In the left pane, click Email Security.

5. In the Encrypted e-mail section, click Settings…

   The Change Security Settings window is displayed.

   

The Outlook security profile created by ActivClient defines the following parameters (for a table of values configured by ActivClient, see Outlook Security Profile Settings and Values):

• Security Settings Name

• Cryptography Format

• Signing Certificate

• Hash Algorithm

• Encryption Certificate

• Encryption Algorithm

The Outlook security profile values updated by ActivClient are retrieved either from the token (certificates) or from the configured policies (ActivClient policies or Microsoft policies).

The following table lists the value configured for each setting when the Outlook security profile is created or updated.

View table

• Certificate propagation: The Microsoft certificate propagation service (CertPropSvc) must be enabled.

• A default Microsoft Outlook security profile must be defined, and a Microsoft Exchange account must be set for this profile (for example, POP accounts are ignored).

ActivClient selects the most recent signature certificate (based on the "Valid From" date) that meets the following criteria:

• Validity:

  The current date must fall between the certificate's "Valid From" and "Valid To" dates.

• Key Usage:

  The Key Usage extension must include "Digital Signature".

• Intended Key Usage:

  • Must include CERT_KEY_DIGITAL_SIGNATURE_USAGE, or

  • Must be identified as a CAC Signature Certificate or a PIV Digital Signature Key.

ActivClient selects the most recent encryption certificate (based on the "Valid From" date) that meets the following criteria:

• Validity:

  The current date must fall between the certificate’s "Valid From" and "Valid To" dates.

• Key Usage:

  The Key Usage extension must include "Key Encipherment" or "Data Encipherment".

• Intended Key Usage:

  • Must include CERT_KEY_ENCIPHERMENT_KEY_USAGE, or

  • Must be identified as a CAC Encryption Certificate or a PIV Key Management Key.

Depending on the configuration settings, ActivClient performs additional checks on the selected signature and encryption certificates before updating the Microsoft Outlook Security profile and publishing to the Global Address List (GAL).

Email Address Consistency

By default, the email address in the smart card certificate must match the email address configured in the Microsoft Exchange account.

This prerequisite can be disabled using the Allow Different Email Addresses in Smart Card Certificate and Microsoft Exchange Account policy.

Important: The Allow Different Email Addresses in Smart Card Certificate and Microsoft Exchange Account policy setting takes effect only when Microsoft Outlook is configured with the SuppressNameChecks registry value.

If this policy is enabled:

• The email address is retrieved from the certificate RFC822 Subject alternate name.

  (If the attribute is missing, the email address is retrieved from the E= field in the certificate's subject.)

  • If online, ActivClient validates the email address against Active Directory.

  • If offline, this check is automatically bypassed, even if the policy is enabled.

• Matching behavior:

  • If the email addresses match: ActivClient updates the Outlook profile and publishes the certificate to the Global Address List (GAL).

  • If the email addresses do not match: ActivClient continues to check if Outlook or the GAL needs to be updated.

    • If no update is needed (that is, the card certificates are already used to configure Outlook and published to the GAL): no action is performed.

    • If an update is needed: ActivClient prompts the user by displaying the email address configured in Microsoft Exchange and the email address contained in the token certificate. The user can then make an informed decision about whether to proceed with updating the Outlook profile and publishing to the GAL.

If the Allow Different Email Addresses in Smart Card Certificate and Microsoft Exchange Account policy is disabled:

1. The email address is retrieved from the certificate's RFC822 Subject alternate name.

   If the attribute is missing, the email address is retrieved from the E= field in the certificate's subject.

2. If online, ActivClient validates the email address against Active Directory.

3. If offline, this check is automatically bypassed.

4. If the email addresses match, ActivClient updates the Outlook profile and publishes the certificate to the GAL.

   If the email addresses do not match, these actions are not performed.

Certificate Revocation List Check

If the Check CRL for Microsoft Outlook Security Profile Creation and Publish to GAL policy is enabled and:

• The CRL check fails (the certificate is revoked or on hold, or the CRL check times out):

  • If the policy is enabled and enforced:

    The certificate is ignored and the operation(automatically configuring email certificates in Microsoft Outlook and/or automatically publishing certificates to the GAL) is not performed.

  • If the policy is enabled and not enforced:

    The certificate is accepted and the operation(automatically configuring email certificates in Microsoft Outlook and/or automatically publishing certificates to the GAL) is performed; however, the certificate is marked as not CRL-valid, and a warning event is added in the Microsoft Windows event log.

• The CRL check succeeds:

  • If the policy is enabled (and enforced or non-enforced):

    The certificate is marked as CRL-valid.

If the Check CRL for Microsoft Outlook Security Profile Creation and Publish to GAL policy is disabled:

• The operation(automatically configuring email certificates in Microsoft Outlook and/or automatically publishing certificates to the GAL) is performed regardless of the CRL check status.

Note:

• The whole certificate chain is checked.

• For performance reasons, the CRL check is performed only if the security profile needs to be updated (that is, after comparing with the current configuration).

• If an OCSP provider is installed and configured on the Windows client, ActivClient will check the certificate status with OCSP instead of the CRL.

The description above applies when the workstation is connected to the corporate network (that is, when Active Directory is accessible). If the workstation is not connected and Active Directory is unavailable, the automatic configuration is still performed, but with two differences:

• No user account check is performed.

• No CRL check is performed, regardless of the CRL check configuration.

Certificate publication to the GAL is available only for Microsoft Exchange accounts. It does not apply to Outlook configurations that use third-party mail servers or POP3.

The Turn on automatic publication of certificates to the Global Address List policy is effective only if the Turn off setup email certificates in Outlook on card insertion policy is either Disabled (default setting) or Not Configured.

When a token is inserted, ActivClient publishes the certificate after automatically updating the Microsoft Outlook security profile.

1. Outlook Security Profile Update:

   • If the token contains valid certificates, ActivClient updates the Microsoft Outlook security profile.

   • For details, see Outlook Security Profile Update.

2. Certificate Publication to the GAL:

   • ActivClient publishes the user's encryption certificate that has been set in the Outlook security profile to the GAL by updating the following attributes in the user’s Active Directory object:

     1. userSMIMECertificate

        • This attribute (defined in RFC 2798) contains the user’s S/MIME configuration.

          It is multi-valued and includes the user’s encryption and signature certificates, including their full certificate chains.

        • Format : PKCS #7.

        • ActivClient erases the existing content of this attribute and publishes the current user’s encryption and signature certificates.

        • This behavior is equivalent to the native Outlook Publish to GAL workflow.

     2. userCertificate

        • Format: DER-encoded.

        • This attribute is multi-valued and it may contain all user certificates (signature, encryption, logon, EFS, etc.) if the certificates are issued by a Microsoft CA A Certificate Authority is a trusted entity that issues digital certificates, confirming the ownership of public keys and other identity attributes. Within a Public Key Infrastructure (PKI), the CA typically relies on a Registration Authority (RA) to verify the certificate requestor's information before issuing the certificate..

        • Native Outlook Publish to GAL behavior:

          • Adds new encryption certificates without removing earlier ones, which may lead to multiple encryption certificates and cause conflicts in some configurations.

          ActivClient Publish to GAL behavior:

          • Clears the attribute and republishes only the current user’s encryption certificate. This ensures that the Active Directory configuration matches the local Outlook configuration and helps avoid issues with encrypted email delivery.

Once the certificate is published, other Exchange users with access to the GAL can send encrypted emails without manually configuring the recipient's encryption certificate.

Any errors during the Publish to GAL process are logged in the Windows Event Viewer of the user workstation. No error messages are displayed to the user directly. For details, see Auditing Outlook Security Profile Updates and Certificate Publication to the GAL.

Users must have the necessary permissions to update their Active Directory object. This implies the following:

• Scenarios where the email account is configured for a different user name than the Windows account user are not supported.

• If the user is not authenticated with Active Directory, automatic certificate publishing to the GAL will fail.

In addition to the automatic Publish to GAL operations (performed in the background on token insertion), users can manually trigger the process through the ActivClient Agent.

Navigation:

1. Right-click the ActivClient Agent icon in the Windows system tray.
2. Select Advanced > Publish to GAL from the menu.

   

This option is equivalent to the automatic Publish to GAL process and performs the following operations:

• Performs the Outlook security profile update and publishes certificates to the GAL, as described above.

  This occurs regardless of whether the following ActivClient policies, which control automatic execution, are enabled or disabled:

  • Turn off setup email certificates in Microsoft Outlook on card insertion

  • Turn on automatic publication of certificates to the Global Address List

• Displays success and error messages in dialog boxes and logs events in the Windows Event Viewer.

• Prompts the user to authenticate with Active Directory, if required for the operation.

• Uses the same Certificate Revocation List (CRL) check configuration as the automatic mode.

The ActivClient audit events follow the Microsoft logging format and are:

• Logged in the HID Global section of the Applications and Services Logs of the Windows Event Viewer.

• Labeled with ActivClient as the event Source.

Each event contains the following elements:

• Event level (Information, Warning, Error)

• Event ID

  Tip! For the complete list of event ID codes, see Audited Event ID Codes List.

• Event description (specifies the user name, domain, and if applicable, a failure reason)

You can also audit changes made directly to Active Directory objects during the certificate publishing process.

To enable this:

1. On the domain controller, go to:

   Default Domain Controller Security Settings > Security Settings > Local Policies > Audit Policy.

2. Enable Audit directory service access.

3. For each user, specify the attributes that should be audited:

   1. Open Advanced Security Settings for the user object.

   2. Go to the Auditing tab.

   3. Select the following attributes:

      • Write userSMIMECertificate

      • Write userCertificate

For more information, refer to the official Microsoft documentation.

1. ActivClient asks the user if they want to create a contact in the Contacts folder with the sender's email address.

   

2. If confirmed, the user is prompted to confirm the addition of the sender's certificate to the contact.

   The user can view the certificate before accepting.

3. If accepted, the certificate becomes the default for this contact.

1. ActivClient asks the user if they want to associate the certificate with the contact.

   The user can view the certificate before accepting.

   

2. If accepted, the certificate becomes the default for this contact.

1. ActivClient asks the user if they want to update the sender's digital certificate in the Contacts folder.

   The user can easily compare the two certificates.

   

2. If accepted, the certificate becomes the default for this contact.

No action is taken.

To enable automatic decryption:

Set the Turn On Automatic Decryption of Encrypted Emails policy to Enabled.

1. The user opens an encrypted email.

2. The email and any attachments are decrypted (may require PIN authentication).

3. A decrypted copy of the email is saved in the same folder as the original.

   The digital signature (if present) is preserved in the decrypted copy.

4. The encrypted version of the email is moved to the Deleted Items folder.