The mysterious Exchange SMimeConfig Algorithms

The Outlook on the web S/MIME implementation supports a variation of encryption algorithms like

  • RC2 (supported key lengths are 40, 56, 64, and 128)
  • DES (56-bit)  
  • 3DES (168-bit)
  • AES128  
  • AES192  
  • AES256

You must follow a specific format when you want to configure the OWAEncryptionAlgorithms or OWASigningAlgorithms attributes to support more than one algorithm. The attribute itself is stored as a String and not validated when using Set-SMimeConfig. Beware of this when you configure S/MIME settings and the S/MIME Plugin is unavailable in your Outlook on the web client.

TechNet states clearly:

“If the encryption algorithm or minimum key length is not available on a client, Outlook on the web does not allow encryption.”

The string to use when configuring the OWAEncryptionAlgorithms for AES256 and AES128  is
“6610;660E”

Set-SmimeConfig –OWAEncryptionAlgorithms "6610;660E"

When not using quotation marks, you will receive an error message. But the cmdlet will accept a comma-separated list. A comma-separated list results in the following Get-SMimeConfig output

Set-SmimeConfig –OWAEncryptionAlgorithms 6610,660E

OWAEncryptionAlgorithms: 660E 6610

This setting results in S/MIME not being available in Outlook on the web.

Note

To successfully apply S/MIME configuration changes, restart the application or the Exchange server.

Get-ExchangeServer | ? { $_.AdminDisplayVersion -like '*15.*'} | % { Invoke-Command -ComputerName $_.Name -ScriptBlock {Restart-WebAppPool MSExchangeOWAAppPool} }

Links

%d Bloggern gefällt das: