Enrolling Users with KMS

[Previous] [Next]

KMS uses Active Directory to enroll users in Advanced Security. This can be done individually, by group, by Exchange administrative group, or by server. The administrator password is required only once per enrollment.

When it enrolls users, KMS requests certificates for them from Certificate Services. The certificates are then used to create two key pairs for every user. One key pair is for digital signatures and is created on the client; the other is for e-mail encryption and is created on the Key Management server. The private digital signature keys are stored on the user's computer.

The first time you enroll users in KMS, it will be necessary to configure token distribution, as described later in the section "Configuring Token Distribution for Enrolled Users Under KMS." In addition, if your users are using Outlook 97 or earlier, you may also need to configure the content version.

To enroll a user via KMS, start Exchange System, right-click Key Manager, and choose Enroll Users. As Figure 21-39 shows, you're given the choice of viewing individual users or entire groups of users.

Figure 21-39. Indicating how to view candidates for enrollment.

Enrolling Individual Users

To see a list of individual users, select the first radio button, Display An Alphabetic List Of User Names From The Global Address Book. Then click OK. In the Enroll Users dialog box (Figure 21-40), select the users you want to enroll through KMS, clicking Add for each one. When you're done, click Enroll. You'll see a message box indicating that the users were successfully enrolled.

Figure 21-40. Selecting users to enroll.

Figure 21-41 illustrates the token the client will receive if you have elected to send it via e-mail. The System Attendant generates the e-mail and sends it directly to the client.

click to view at full size.

Figure 21-41. Sending a token to a user via e-mail.

Enrolling a Group of Users

To see a list of groups of users, select the second radio button, Display Mailbox Stores, Exchange Servers, And Administrative Groups Of Eligible Users. Then click OK. The Enroll Users dialog box appears, listing containers of users. Expand the choices, as shown in Figure 21-42, to enroll users based on their home database. Select the containers whose users you want to enroll, and then click Enroll. All of the users in those databases will be enrolled, and e-mails will be sent to each one if you have elected to send the token by e-mail.

Figure 21-42. Selecting containers of users to enroll.

Obtaining User Certificates

Once a user is enrolled and has received his or her token, the user should open Outlook 2000, choose Options from the Tools menu, and display the Security tab. At the bottom of the tab, the user should click Get A Digital ID to begin the process of getting a certificate.

Figure 21-43 shows the welcome screen your users will see when they click this button. Notice that they are asked whether they want to get an S/MIME certificate from a source on the Internet or have security set up for them on the Exchange server. The correct choice here is to set up security on the Exchange server. Once they select that option and click OK, a small dialog box pops up with the user's name in the upper input field. In the Token field, the user should enter the token received from KMS, as shown in Figure 21-44.

Figure 21-43. Choices a user has for obtaining a digital ID.

Figure 21-44. Entering a user's token.

After the user clicks OK, he or she is prompted to enter a password that will secure the digital ID. This box also contains a reminder that Outlook will not remember the password. The user clicks OK after entering the password and then sees a message indicating that the request has been sent to the Microsoft Exchange Key Management Service and that the user will be notified when the request has been processed. It may take a few minutes for the user to receive a reply from KMS.

KMS notifies the user that the certificate has been issued by sending encrypted e-mail (Figure 21-45). To open the e-mail, the user needs to enter the password created during the request process. The user is then given the option of adding the certificate to the root certificate store, which is part of Internet Explorer and is user specific (Figure 21-46).

click to view at full size.

Figure 21-45. Reply received from KMS.

click to view at full size.

Figure 21-46. Adding the certificate to the root certificate store.

NOTE
Once the certificate has been added to the root certificate store, the user is once again asked to enter the password for the certificate. If, at either point, the user clicks Cancel instead of entering the password, the entire operation will be canceled. The user will need to contact you to be reenrolled in KMS. Before doing so, you will need to revoke the user's first set of credentials.

After the user has entered the password, he or she receives an e-mail in Outlook 2000 indicating that the new certificate has been successfully installed (Figure 21-47). The certificate installs itself into the Outlook 2000 client and automatically sets the client to send clear-text, signed messages. Furthermore, as shown in Figure 21-48, the client is set up for S/MIME messaging and a 40bit RC2 encryption algorithm.

click to view at full size.

Figure 21-47. E-mail indicating successful installation of the new certificate.

Configuring Token Distribution for Enrolled Users Under KMS

An enrollment token is a temporary password that KMS creates for every enrolling user. Users type the token in Outlook to complete the Advanced Security enrollment process. You must decide how the tokens will be distributed to your users.

To choose a token distribution method, start Exchange System and click the Advanced Security object. In the details pane, right-click Key Manager, and then choose Properties. On the Key Manager property sheet, display the Enrollment tab (Figure 21-49).

click to view at full size.

Figure 21-48. New security settings in the Outlook 2000 client.

Figure 21-49. Enrollment tab of the Key Manager property sheet.

Microsoft prefers that you deliver tokens to users in person. This method is the default and is more secure than delivering them by e-mail. If you choose to use this method, do nothing. When the token appears on your screen, you will then be responsible for recording it and delivering it to the enrolling user. To have tokens sent directly to users by e-mail, select the Send Token In An EMail check box. Figure 21-50 shows the default message that KMS sends to users. To change this message, click Customize Message.

Figure 21-50. Default message used to send tokens to users.

You have probably noticed that the default message includes %TOKEN%, which is a variable for the actual token that will be sent to the enrolling user. You can remove this placeholder so that the actual token is not sent. If you do so, you will need to deliver the token manually to the user. Note that the tokens always appear on your screen, even when you have configured KMS to deliver them via email.

If you opt to send the e-mail without the token, you can use it to send customized information to your enrolling users. This information can include any special notices or instructions specific to your organization that you may want Advanced Security users to have.

Recovering Keys in KMS

There will be times when you'll need to recover a user's private key. Common scenarios in which this is likely to happen include when users have been imported from another Key Management server or if a user experiences a hardware failure or forgets a password.

Users who have been imported from another Key Management server will need new keys because their certificates will have been revoked. Once they have been imported to a new Key Management server, they can still use their old keys to read old encrypted e-mail. However, those old keys are now bound to a certificate that has been placed on your CRL. Therefore, the users need new certificates and corresponding keys to create new encrypted messages. In the process of exporting and importing users, key recovery is the final step because imported users must have their keys recovered.

Recovery prevents users from losing encrypted e-mail when they lose their existing keys by forgetting their password or by having a media failure. When you recover a key, the user is issued a token. The method of delivering the recovery token is the same as the one you've chosen for delivering enrollment tokens—either by manual delivery or by e-mail. After the user enters this recovery token in Outlook, KMS creates a new key pair for the user. In addition, KMS returns all of the user's old keys. For imported users, a new encryption key pair is generated.

To recover keys for a user, start Exchange System and click Advanced Security. Right-click Key Manager, point to All Tasks, and choose Recover Keys. You are presented with the same choices you saw when enrolling users: you can recover one or more individuals' keys or recover the keys for a group of users. When the process is finished, you see a confirmation window indicating that the keys for all selected users were successfully recovered.

Enrolling Users in Advanced Security Through Active Directory Rather Than KMS

You can enroll individual users to receive a certificate in Advanced Security through Active Directory, rather than through KMS. Enrollment through Active Directory is similar to enrolling users through KMS in the Exchange System snap-in, except that the enrollment applies only to the individual user. In addition, administrators can use Active Directory to recover and revoke keys. This is also done on a per-user basis that is similar to performing the same task in Exchange System.

One advantage of using Advanced Security in Active Directory is the additional detail that is available for each user (Figure 21-51). You can look up an individual's security status (such as Enabled, Disabled, Token Issued, or In Recovery), Key Management server, and the dates his or her certificates were activated and when they will expire.

Figure 21-51. A user's security information in Active Directory.

To enroll individuals in Advanced Security, recover or revoke their keys, or revoke a certificate through Active Directory, start Active Directory Users and Computers, highlight the Users organizational unit, and then, in the details pane, right-click the user account and choose Properties. On the Exchange Features tab, in the Features column, click E-Mail Security, and then click Properties to display the E-Mail Security property sheet.

TIP
You will be required to enter your Key Management Service password.

To enroll the user, click Enroll. If you've chosen to distribute tokens manually, the token will be displayed on your screen so that you can deliver it to the user in person. If you've chosen to distribute tokens through e-mail, click Do Not Send E-Mail to display the token on your screen only, or click Send Enrollment to send it to the user in an e-mail message.

To recover a user's key pairs, click Recover. A temporary token will be generated for the user. You can then choose to either send the token by e-mail or deliver it in person.

To revoke a user's certificates, click Revoke. You will see a confirmation message informing you that the user was disabled from e-mail security.



Microsoft Exchange 2000 Server Adminstrator's Companion
Microsoft Exchange 2000 Server Adminstrator's Companion
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net