Workaround to enable Outlook 2003 Cached Exchange Mode with NetSign CAC 5.5
Description:
This article provides a work around for using NetSign CAC 5.x with Outlook 2003 Cached Exchange Mode.
Product
- NetSign 5.5 (5.5.71)
- Outlook 2003 with Outlook Cached Exchange Mode Enabled
Issue / Problem
NetSign CAC 5.5 does not support Cached Exchange Mode for Outlook 2003. The option "Use Cached Exchange Mode" is set by default when installing Outlook 2003 and must be disabled for NetSign CAC 5.5.
Support for Outlook 2003 was a requirement for NetSign CAC 5.5, however Outlook Cached Exchange Mode was not included as part of the specification for this release. Recent customer feedback on NetSign CAC 5.5 has indicated that Outlook Cached Exchange Mode is an important Outlook 2003 feature for many of our customers.
Saflink Product Management recognizes the importance of Outlook Cached Exchange Mode and is committed to supporting the capability in a NetSign CAC 5.5 service pack.
To mitigate potential customer concerns, Saflink has investigated the capability of the current NetSign CAC 5.5 release to support Outlook Cached Exchange Mode. The results of this investigation have shown :
Certain NetSign CAC 5.5 Features are mutually exclusive with Microsoft Outlook 2003 Cached Exchange Mode:
1. Publish to GAL will not work while Outlook 2003 Cached Exchange Mode is enabled with NetSign CAC 5.5 (5.5.71).
2. Interaction of Outlook 2003 Cached Exchange Mode when enabled and the Cardstart.exe function with NetSign CAC 5.5 (5.5.71) causes an error when shutting down the system or logging off of Windows unless Outlook Auto-Configuration (Auto-register certificates with Outlook) is turned off.
The temporary workaround outlined below should enable limited NetSign CAC 5.5 functionality when Outlook 2003 is configured to use Outlook Cached Exchange Mode.
Solution:
A workaround to configure NetSign CAC 5.5 AND Outlook 2003 with Outlook 2003 Cached Exchange Mode enabled would require the following configuration processes:
1. Pre Configuration assumptions:
a. Outlook 2003 clients with Outlook 2003 Cached Exchange Mode disabled in order to complete these steps (use Outlook Group Policy Template - outlk11.adm- to turn off Cached Exchange Mode or provide user instructions to individually control Outlook 2003 Cached Mode). This is a must for Publish to GAL to work properly with Outlook 2003 email clients.
b. NetSign CAC Certificate Registration settings must include Auto-Register Certificates for IE and CAN NOT include Auto Unreg on Log Off or Auto Unreg on Remove for S/MIME OR SSL to function properly.
2. Enable [x] CAC Policy Outlook Auto Configure and Enable [x] Publish to GAL.
a. To use NetSign CAC 5.5 Outlook Auto Configure to setup the correct signing and encrypting certs requires you to include [x] Auto-Register Certificates with Outlook. After the user inserts their CAC card into the reader NetSign CAC 5.5 should automatically configure the correct certificates for signing and encrypting email when the user opens up their Outlook application.
b. Ensure that each user has published their certificates to the GAL. This is done using NetSign CAC Policies to include [x]Publish to GAL (if a change was made to this CAC Policy then the user system may require a reboot before seeing the dialog to publish their certificate to the GAL). The user will need to insert their CAC and after the dialog box comes up for Publish to GAL they will need to authenticate to the CAC with their correct PIN.
3. After Outlook Auto Configure has been completed from step 2a turn off this setting in Cardstart Policies by removing the check for [ ] Auto-register certificates with Outlook. (NOTE: Administrators can use the NetSign.adm Group Policy template to remotely administer this task for Computer Configurations in the domain (Group Policy - Computer Configurations-Administrative Template - NetSign - Outlook Auto Configure - Auto register configure this to Disabled).
4. Leave the NetSign CAC Publish to GAL policy set to detect new user Certificates. Note: After completing the steps of this workaround NetSign will not ask the user to publish their certificate until NetSign detects a new user certificate then the user will see the publish to GAL reminders. This message will repeat every time the user logs in and inserts their card until the steps outlined in this document have been repeated and the user's new certificate is published to the GAL.
5. After these steps have been completed Outlook 2003 users can enable Outlook Cached Exchange Mode. (NOTE: Administrators can use the OUTLK11.ADM Group Policy template to remotely administer this task for Computer Configurations in the domain (Group Policy - User Configurations-Administrative Template- Microsoft Outlook 2003 - Tools | Email Accounts - Cached Exchanged Mode - Disabled Cached Exchange Mode on new profiles configure this to Enabled).
Summary / Troubleshooting:
* If Outlook 2003 Cached Exchange Mode is enabled and a new certificate is detected during a user's session then an administrator will need to turn off Outlook Cached Exchange Mode in order for the certificate to properly Publish to GAL. A system reboot is recommended after changing this NetSign Policy before Publish to GAL will work properly. Confirm Publish to GAL by checking users Published certificate in Active Directory for the user's "Published Certificate". S/MIME and SSL will function normally even without this workaround.
** If Enable Cached Exchange Mode is on and Auto-Register Certificates with Outlook is enabled in NetSign Policy settings then the user will see an error dialog when logging off or shutting down their system. The dialog will indicate that Cardstart.exe is having problems shutting down and requires the user to select "End now" to shut down or log off completely. This can be easily remedied by following steps 2a and 3 above and turning off Auto-register certificates with Outlook Policy setting. S/MIME and SSL, Auto-Contact and Auto-Decrypt should all function normally even without this workaround.
Keywords:
Outlook Cached Exchange Mode, Outlook 2003, Publish to GAL, Cardstart.exe
Description:
This article provides a work around for using NetSign CAC 5.x with Outlook 2003 Cached Exchange Mode.
Product
- NetSign 5.5 (5.5.71)
- Outlook 2003 with Outlook Cached Exchange Mode Enabled
Issue / Problem
NetSign CAC 5.5 does not support Cached Exchange Mode for Outlook 2003. The option "Use Cached Exchange Mode" is set by default when installing Outlook 2003 and must be disabled for NetSign CAC 5.5.
Support for Outlook 2003 was a requirement for NetSign CAC 5.5, however Outlook Cached Exchange Mode was not included as part of the specification for this release. Recent customer feedback on NetSign CAC 5.5 has indicated that Outlook Cached Exchange Mode is an important Outlook 2003 feature for many of our customers.
Saflink Product Management recognizes the importance of Outlook Cached Exchange Mode and is committed to supporting the capability in a NetSign CAC 5.5 service pack.
To mitigate potential customer concerns, Saflink has investigated the capability of the current NetSign CAC 5.5 release to support Outlook Cached Exchange Mode. The results of this investigation have shown :
Certain NetSign CAC 5.5 Features are mutually exclusive with Microsoft Outlook 2003 Cached Exchange Mode:
1. Publish to GAL will not work while Outlook 2003 Cached Exchange Mode is enabled with NetSign CAC 5.5 (5.5.71).
2. Interaction of Outlook 2003 Cached Exchange Mode when enabled and the Cardstart.exe function with NetSign CAC 5.5 (5.5.71) causes an error when shutting down the system or logging off of Windows unless Outlook Auto-Configuration (Auto-register certificates with Outlook) is turned off.
The temporary workaround outlined below should enable limited NetSign CAC 5.5 functionality when Outlook 2003 is configured to use Outlook Cached Exchange Mode.
Solution:
A workaround to configure NetSign CAC 5.5 AND Outlook 2003 with Outlook 2003 Cached Exchange Mode enabled would require the following configuration processes:
1. Pre Configuration assumptions:
a. Outlook 2003 clients with Outlook 2003 Cached Exchange Mode disabled in order to complete these steps (use Outlook Group Policy Template - outlk11.adm- to turn off Cached Exchange Mode or provide user instructions to individually control Outlook 2003 Cached Mode). This is a must for Publish to GAL to work properly with Outlook 2003 email clients.
b. NetSign CAC Certificate Registration settings must include Auto-Register Certificates for IE and CAN NOT include Auto Unreg on Log Off or Auto Unreg on Remove for S/MIME OR SSL to function properly.
2. Enable [x] CAC Policy Outlook Auto Configure and Enable [x] Publish to GAL.
a. To use NetSign CAC 5.5 Outlook Auto Configure to setup the correct signing and encrypting certs requires you to include [x] Auto-Register Certificates with Outlook. After the user inserts their CAC card into the reader NetSign CAC 5.5 should automatically configure the correct certificates for signing and encrypting email when the user opens up their Outlook application.
b. Ensure that each user has published their certificates to the GAL. This is done using NetSign CAC Policies to include [x]Publish to GAL (if a change was made to this CAC Policy then the user system may require a reboot before seeing the dialog to publish their certificate to the GAL). The user will need to insert their CAC and after the dialog box comes up for Publish to GAL they will need to authenticate to the CAC with their correct PIN.
3. After Outlook Auto Configure has been completed from step 2a turn off this setting in Cardstart Policies by removing the check for [ ] Auto-register certificates with Outlook. (NOTE: Administrators can use the NetSign.adm Group Policy template to remotely administer this task for Computer Configurations in the domain (Group Policy - Computer Configurations-Administrative Template - NetSign - Outlook Auto Configure - Auto register configure this to Disabled).
4. Leave the NetSign CAC Publish to GAL policy set to detect new user Certificates. Note: After completing the steps of this workaround NetSign will not ask the user to publish their certificate until NetSign detects a new user certificate then the user will see the publish to GAL reminders. This message will repeat every time the user logs in and inserts their card until the steps outlined in this document have been repeated and the user's new certificate is published to the GAL.
5. After these steps have been completed Outlook 2003 users can enable Outlook Cached Exchange Mode. (NOTE: Administrators can use the OUTLK11.ADM Group Policy template to remotely administer this task for Computer Configurations in the domain (Group Policy - User Configurations-Administrative Template- Microsoft Outlook 2003 - Tools | Email Accounts - Cached Exchanged Mode - Disabled Cached Exchange Mode on new profiles configure this to Enabled).
Summary / Troubleshooting:
* If Outlook 2003 Cached Exchange Mode is enabled and a new certificate is detected during a user's session then an administrator will need to turn off Outlook Cached Exchange Mode in order for the certificate to properly Publish to GAL. A system reboot is recommended after changing this NetSign Policy before Publish to GAL will work properly. Confirm Publish to GAL by checking users Published certificate in Active Directory for the user's "Published Certificate". S/MIME and SSL will function normally even without this workaround.
** If Enable Cached Exchange Mode is on and Auto-Register Certificates with Outlook is enabled in NetSign Policy settings then the user will see an error dialog when logging off or shutting down their system. The dialog will indicate that Cardstart.exe is having problems shutting down and requires the user to select "End now" to shut down or log off completely. This can be easily remedied by following steps 2a and 3 above and turning off Auto-register certificates with Outlook Policy setting. S/MIME and SSL, Auto-Contact and Auto-Decrypt should all function normally even without this workaround.
Keywords:
Outlook Cached Exchange Mode, Outlook 2003, Publish to GAL, Cardstart.exe