Share via


OABInteg and certificate testing

I just have finished a new code path for OABInteg that will now allow you to do a proactive scan against your active directory to see what your mail enabled objects look like when it comes to certificates. This should help you to eliminate certificates from your active directory so you can reduce your OAB's overall size.

Currently there are three attributes that ship with Windows 2003 and Exchange 2003 that can store user certificates: userCert, userCertificate, and userSMIMECertificate.

Information on Certificates

  • userCert - UserCert is a single valued attribute that stores the old Nortel style certificates used long ago with Key Management Server for Exchange (KMS).
  • userCertificate -  Exchange and Outlook use it to store DER encoded X.509 e-mail certificates, and Windows uses it to store the public keys for logon, EFS and other such keys.
  • userSMIMECertificate - UserSMIMECertificate is used only by Exchange and Outlook for PKCS-7 encoded e-mail certificates and all certificates stored here are supposed to be usable for e-mail.

For the full blog on OAB certificate filtering please see: https://msexchangeteam.com/archive/2005/07/25/408188.aspx. This can be ran from an Outlook client however the filtering settings will be set to the default and if you run this on the Exchange server it will detect the OAB certificate registry key and give you a more accurate test. To run the test you can run the following command: [OABInteg /s:srvname /t:certtest /v:2 /l] (/l will create a c:\oabinteg.txt file for logging purposes). Here is what the output looks like when you run this test:

Processing Address Book Entry #1 of 50.
Display Name = Test User
No certificate found.

Processing Address Book Entry #2 of 50.
Display Name = Test User
Certificate is enhanced for email.

Processing Address Book Entry #3 of 50.
Display Name = Test User
Certificate is ok for email.
Certificate is ok only for email.
Certificate is enhanced but not for email.
We are filtering certificates so this certificate was filtered out.

Processing Address Book Entry #4 of 50.
Display Name = Test User
Certificate is ok for email.
Certificate is ok only for email.
Certificate is enhanced but not for email.

NOTE: The following entry indicates that the object has multiple certificates in the active directory.

Processing Address Book Entry #5 of 50.
Display Name = Test
Certificate is ok for email.
Certificate is ok only for email.
Certificate is enhanced but not for email.
We are filtering certificates so this certificate was filtered out.
Certificate is ok for email.
Certificate is ok only for email.
Certificate is enhanced but not for email.
We are filtering certificates so this certificate was filtered out.
Certificate is ok for email.
Certificate is ok only for email.
Certificate is enhanced but not for email.
We are filtering certificates so this certificate was filtered out.

Rest of users removed for readability....

Scan Finished
Total certificates filtered - 1303
Total certificates included in the OAB - 57
Total invalid certificates found - 0
Total expired certificates found - 146
Total certificates found that are not signed - 0
Total certificates with invalid usage - 1
Total enhanced certificates found - 1227
Total email certificates found - 1227
Total email enhanced certificates found - 128
Total invalid enchanged certificates found - 1
Total expired certificates found - 71
Total certificates with invalid bahaviour found - 0
Total objects without certificates - 6358

OABInteg-Admin_03:55:25 PM profile was found and deleted from the Windows Messaging Subsystem.

Logoff of profile successful.
Closing MAPI session.
The MAPI subsystem was un-initialized successfully.

Performing cleanup.
Exiting application.

OABInteg-Admin_03:40:53 PM profile was found and deleted from the Windows Messaging Subsystem.

You can download the latest version of OABInteg from here: https://code.msdn.microsoft.com/oabinteg

Dave

Comments