KMS uses Active Directory to enroll users in Advanced Security individually, by group, by Exchange administrative group, or by server. The administrator password is required only once per enrollment.
When users are enrolled, KMS requests certificates on their behalf from Certificate Services. The certificates are then used to create two key pairs for every user. One key pair is for digital signatures (created on the client) and the other is for e-mail encryption (created on the Key Management server). The private digital signature keys are stored on the user's computer: Outlook 97 and older clients store their private keys in an encrypted .epf file, Outlook 98 users keep their keys in an Internet Explorer protected store, and Outlook 2000 users store their private keys in the registry. In all cases the private keys are securely encrypted, and are available only to the designated user.
The corresponding certificates, which contain the public keys, are kept in Active Directory as an attribute of the user object.
Note To enroll older clients
that only support the Exchange 4.0/5.0 message security format, you will
have to choose to issue
Related TopicsConfigure Certificate Version Set Per-User Security Options Key Pairs Certificates