How to Fix Edge S/MIME for Air Force OWA: Reading and sending encrypted e-mail, and applying/validating digital signatures - AF.mil (2024)

For info on how to setup a CAC on a home computer go to:https://public.cyber.mil/pki-pke/end-users/getting-started/ How to Fix Edge S/MIME for Air Force OWA: Reading and sending encrypted e-mail, and applying/validating digital signatures 9/9/2019 OPR: AFNIC/CHES Contact: AFNIC.NT.CP@us.af.mil DSN (312) 779-5844/+1 (618) 229-5844 Document source location: https://cs2.eis.af.mil/sites/10007/internal/SMime%20Library/Forms/AllItems.aspx

TABLE OF CONTENTSSection PageTABLE OF CONTENTS ................................................................................................................ 21 INTRODUCTION ................................................................................................................... 3 1.1 Purpose ............................................................................................................................. 3 1.2 Background ...................................................................................................................... 3 1.3 Scope ................................................................................................................................ 3 1.4 System Requirements ....................................................................................................... 32 PROCEDURES ....................................................................................................................... 4 2.1 Download Edge S/MIME Extension v20.19.701.1 .......................................................... 4 2.1.1 For home computers ..................................................................................................... 4 2.1.2 For work computers ...................................................................................................... 4 2.2 Install or Update Edge S/MIME Extension...................................................................... 6 2.2.1 For home computers ..................................................................................................... 6 2.2.2 For work computers ...................................................................................................... 7 2.3 Configure Edge S/MIME Extension ................................................................................ 9 2.4 Test S/MIME Functionality in AF OWA ....................................................................... 11

1 INTRODUCTION1.1 PurposeThe primary purpose of this document is to provide the procedures taken to update S/MIME forthe Microsoft Edge web browser in order for Air Force Outlook on the web (AF OWA) users toread/send encrypted e-mail and apply/validate digital signatures.1.2 BackgroundThe capability to read/send encrypted e-mail and apply/validate digital signatures on e-mailusing AF OWA has been degraded for some time. Focused troubleshooting has uncovered thatthe S/MIME version that is available on the AF OWA website is not current. Microsoft is in theprocess of officially updating this through their DoD release process, however AFNIC, incooperation with many partners, has found a fix specifically for Microsoft Edge.1.3 ScopeThis document will provide AF OWA users a fix for S/MIME on Microsoft Edge for both homeand work computers.  External AF OWA website (e.g. home, hotel, school): https://owa.us.af.mil/  Internal AF OWA website (e.g. work, AFNet VPN): https://webmail.apps.mil/owa/1.4 System Requirements  Microsoft Edge web browser installed  DoD root certificates installed (https://public.cyber.mil/pki-pke/end-users/getting-started/)  CAC  Smart card reader  Middleware (if necessary, depending on your operating system)

2 PROCEDURES2.1 Download Edge S/MIME Extension v20.19.701.1Follow these steps to download the S/MIME extension for Microsoft Edge:2.1.1 For home computersUsers can download the S/MIME extension at this link:https://ow2.res.office365.com/owasmime/20.19.701.1/OwaSmimeEdgeExtension.appxbundle. If thelink for some reason does not work, users can download a copy from the AFNIC EnterpriseServices SharePoint at this link (use your e-mail certificate):https://cs2.eis.af.mil/sites/10007/internal/SMime%20Library/Forms/AllItems.aspx and select the “Non-AFNet_Computer” folder.To download, click the ellipses in both menus and select “Download a copy” (as depicted below)to save the file to the Downloads folder on your computer. Go to Section 2.2 to continue.2.1.2 For work computersApplies to computers with the AFNet SDC image. An administrator with elevated permissionswill be needed to properly download and install/update S/MIME. This mainly applies to userswith work computers in a non-AFNet environment (e.g. school on .edu domain). NOTE: AFNet-connected computers will receive an enterprise update that will automatically install the required files, so users will not need to coordinate with their local administrators to download and install S/MIME. However, users will want to ensure that S/MIME is configured correctly and test the

functionality for themselves (refer to Sections 2.3 and 2.4 below), and coordinate with their communications focal point (CFP) if they encounter issues.Administrators can copy the required files/folders from \\VEJX-AS-006v\SMIME\AFNET_Computer_LocalAdminRequired\. If unable to access the shared drivelocation, administrators can download a copy from the AFNIC Enterprise Services SharePoint atthis link (use e-mail certificate):https://cs2.eis.af.mil/sites/10007/internal/SMime%20Library/Forms/AllItems.aspx and select the“AFNet_Computer_Local_Admin_Required” folder.Administrators will need to copy all five (5) files to the desktop of the user using AF OWA.Once downloaded, continue to Section 2.2.

2.2 Install or Update Edge S/MIME ExtensionFollow these steps to install or update the S/MIME extension for Microsoft Edge:2.2.1 For home computers1. Navigate to the Downloads folder on your computer. NOTE: If for some reason the downloaded file saved as a .zip instead of .appxbundle, users will need to rename the file by clicking the View tab in the folder window and checking the box for “File name extensions” on the right (as depicted below). Right-click on the file, select Rename, and replace the “.zip” with “.appxbundle” and hit Enter to change the file name extension (click Yes if prompted).2. Double-click on the OwaSmimeEdgeExtension appxbundle file to initiate the install/update.If prompted “How do you want to open this file?”, choose “App Installer” and click OK (asdepicted below).

3. A pop-up window will appear asking you to install or update S/MIME Control for Outlook.4. Click Install or Update to complete the install/update process, and continue to Section 2.3.2.2.2 For work computers1. Log in as administrator.2. Enable sideloading: This can be done through the GUI in Windows 10 as local admin ormodified in the registry. Always default to making this change with the GUI, however, if you donot have local admin rights to the computer, someone who does can add the following registrykeys, in subsection b, remotely using regedit (recommend removing these after setup): a. GUI method: Navigate to Start Menu > Settings > Update & Security. Select “For developers” on the left-side and select the “Sideload apps” radio button. b. Registry key method:  HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModeUnlock, AllowAllTrustedApps (DWORD) with value of 1  HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModeUnlock, AllowDevelopmentWithoutDevLicense (DWORD) with value of 0 and close regedit

3. If the computer is connected to the AFNet, you will need to modify the following registry keyas local admin to disable SmartScreen so the OwaSmimeEdgeExtension file can run withouterror:  HKLM:\SOFTWARE\Policies\Microsoft\Windows\System, change EnableSmartScreen DWORD value to 0, click OK and close regedit4. Have the user log back into the computer.5. Open and install the Microsoft.NET.Native.Framework.1.3 &Microsoft.NET.Native.Runtime.1.4 files in both the DotNetNative_x64 and DotNetNative_x86subfolders—a total of four (4) files will be installed.6. Double-click on the OwaSmimeEdgeExtension appxbundle file to initiate the install/update.If the previous steps were followed, no errors should be presented. Continue to Section 2.3.

2.3 Configure Edge S/MIME ExtensionFollow these steps to correctly configure the S/MIME extension in Microsoft Edge:1. Click on the Start button and open Microsoft Edge. It may be already pinned to the StartMenu on the right-side (as depicted below) or you may have to navigate to it in the programs liston the left-side.2. Click on the ellipses on the top-right of the window.3. Select “Extensions” from the menu.4. Move your mouse over the “Microsoft S/MIME Control” until the settings cog icon appears,then click it.5. In the “About” section, ensure that your version reflects “20.19.701.1” and that the toggle isset to On.6. Click “Options” to add the necessary AF OWA domains:

a. Check both boxes and add “owa.us.af.mil” and “webmail.apps.mil” on separate lines in the text box (as depicted below). b. Click Save and you will notice green text appearing to inform you your changes were saved successfully.7. Close Microsoft Edge. NOTE: Unsigned extensions are automatically turned off on subsequent launches of Microsoft Edge. If you see the pop-up below when you open Microsoft Edge, click “Turn on anyway” to use S/MIME, or go to the Extensions menu and turn it on from there.

2.4 Test S/MIME Functionality in AF OWAFollow these steps to test that S/MIME is properly configured and working as intended: NOTE: Users may be prompted multiple times to enter their PIN while using OWA, when opening an encrypted or digitally signed message, and/or when sending an encrypted or digitally signed message. This is normal.1. Ensure that you have network connectivity.2. Launch Microsoft Edge.3. Access the appropriate AF OWA URL (External AFNet: https://owa.us.af.mil; InternalAFNet: https://webmail.apps.mil/owa/). NOTE: When logging into AF OWA for the first time on a computer, you may be prompted to login using your Air Force e-mail address (i.e. first.last@us.af.mil or first.last.#@us.af.mil).4. If prompted for login certificates, use your e-mail certificate (i.e. DOD EMAIL CA-##).5. Read and click OK at the DoD Warning and Consent Banner screen. Be patient, it may take amoment for your mail to populate.6. Test reading a signed/encrypted e-mail without errors: If you see S/MIME isn't supported in thisview. To view this message in a new window, click here, click the link and the message will open in anew browser window and be viewable. NOTE: By default, messages are viewed on the right side in Conversations. To easily view encrypted e-mail messages, you can change your view mode to Messages. Click “Filter” at the top of the Inbox, move down the menu to “Show as” and select Messages instead of Conversations.7. Test sending a signed/encrypted e-mail without errors: a. Click on +New to start a new e-mail message. b. Click on the ellipses above the new e-mail message for more options and choose “Show message options…” from the menu.

c. Check the boxes for “Encrypt this message (S/MIME)” and “Digitally sign thismessage (S/MIME)” and click OK.d. Complete the rest of your message (fill in To, Subject, etc.) and click Send.e. Follow up with the person the e-mail was sent to ensure they received it.