Key Management Service In Exchange 2000 Server

The Basics

The  Key Management Service (KMS) in Exchange 2000 Server is one of the best and most often overlooked features. Due to Exchange 2000 Server’s native integration with Windows 2000 Server, the KMS can take advantage of many of the benefits that Windows 2000 brings to the table as well, making it a winner that is worthy of taking a look at.
The KMS makes native use of the Windows 2000 Server Certificate Services, and thus needs no additional Certification Authority (CA) to perform its duties. The Windows 2000 CAs take care of all certificate issuance and revocation, as well as maintaining the Certificate Trust List (CTL) up to date. KMS can make use of any Enterprise CA in your domain so if one CA is busy, KMS will just move along to the next CA and attempt to use it instead. Remember that in Windows 2000, Certificate Services can be configured as a subordinate to an external third-party CA, such as VeriSign, which can lend even greater credibility to your certificates (especially when viewed by individuals outside of your organization).
When a user is enrolled in Advanced Security (i.e. issued a digital certificate via the KMS), KMS uses the certificates issued by the Windows 2000 Certificate Service to create a key pair, which consists of a public key (stored in Active Directory and available to anyone) and a private key, which is kept in an encrypted database on the Key Management Server. The private key is only available for use by the user to which it was issued. The key pair is permanently bound to the user they were issued to by the certificate that was used to create the key pair. It is important to note that there are actually two sets of key pairs created when a user is enrolled for Advanced Security:

  • The first pair is created by the Key Management Server, and is utilized for message encryption.
  • A second pair is created by the Outlook client, and is used for digitally signing messages.


KMS on the job

Using KMS, your Exchange 2000 users will have two powerful means at their fingertips to ensure that their communications are safe and secure. KMS allows you to encrypt and digitally sign messages.
When users enrolled in Advanced Security send messages, the sender uses the recipient’s public key (remember, this is stored in Active Directory and therefore accessible to all domain users) to encrypt the message being sent to that recipient. The recipient is thus the only person who can decrypt the message, because they are the only person who can access their private key. In this way, email encryption serves to ensure that no person, other than intended recipients, can read the message.
When a message is digitally signed, the sender makes use of his or her own private key to sign the message. The sender then uses the public key to verify the source of the message (the public and private keys will match up and confirm the identity of the sender). Through this, the recipient can have a high degree of certainty that the message came from the sender. As an added bonus, the digital signature applied to a message is based in part on the content of the message so a confirmed valid digital signature also serves to verify the message arrived intact, as it was sent originally. A digitally signed message cannot be successfully tampered with in transit with being tampered with. A digital signature is thus just as powerful and binding as a signature made in ink on paper.

Putting KMS to work
In order to use the KMS, you will need to have at least one Certificate Authority on your network—an Enterprise Root CA at the minimum. Ideally, you should have one Enterprise Root CA and one or more Enterprise Subordinate CAs. These will need to be in place before you attempt to install the KMS.
The process to use the KMS from start to finish is as follows:

  1. Install at least one Certificate Authority on your network as follows:
    1. Select Certificate Services from the Add/Remove Windows Component tab of Add/Remove Programs applet of Control Panel.
    2. Click Yes after reading the warning about not renaming the computer after Certificate Services has been installed, and then click Next to start the process.
    3. If this is the first CA in your Active Directory domain, then you should select Enterprise root CA. If this is the second (or later) CA in your domain, you can select Enterprise subordinate CA. Make your select and click Next to continue.
    4. Configure all the required information on the CA Identifying Information page and click Next to continue. Click Next to accept the default locations for the database and log (or change them as desired). Click OK to let the Wizard stop IIS in order to install Certificate Services. You may be prompted at this point to insert your Windows 2000 CD-ROM.
    5. Click Finish when the Wizard is done and then click Close to close out the Add/Remove Programs applet.
  2. Ready the system to install the KMS as follows:
    1. From the Certification Authority snap-in, expand the node under one of your CAs and right-click on the Policy Settings folder. Select New > Certificate To Issue. While holding down the CTRL key, select the following templates, as shown in Figure 1:
      1. Enrollment Agent (Computer)
      2. Exchange User
      3. Exchange Signature Only

Figure 1 – Selecting templates for the Certificate Authority.

  1. Install the Key Management System (or install it with the initial Exchange 2000 Server installation):
    1. From the Component Selection screen of the installation Wizard, select the KMS to be installed and then click Next.
    2. Select the administrative group that the KMS will be part of from the next page and then click Next to continue.
    3. The page will give you a hard choice to make. From this page, as shown in Figure 2, you must decide how to handle the issue of the KMS password. This is the only place I’ve ever seen in Windows where the password for something is taken to this extreme. The manual password entry is obviously more secure, but it is a real pain in the butt to deal with! Make your selection and click Next to continue.
    4. Click Next from the next screen to actually start the process to install the KMS (and any other options you have selected). The Wizard will now install and setup up the KMS.

Figure 2 – Selecting how to handle the KMS password.

  1. After you have finished installing the KMS, you can proceed to enroll users as follows:
    1. Click on Advanced Security (in the applicable administrative group node). Start the KMS Service by right-clicking on it and selecting All Tasks > Start Service. At this time you will either need to supply you manually entered KMS startup password or the location where you saved it.
    2. Right-click on Key Manager and select Properties. You will have to enter your default password, which is (stupidly enough) password. You will have to enter your KMS password every time you perform an action or change tabs on the Properties window…so get used to it. Change to the Administrators tab and click Change Password… Supply your old password and a new password and click OK, which will bring up the window as shown in Figure 3.

Figure 3 – Changing the KMS Administrator password.

    1. Now change to the Enrollment tab. In order for users to get their certificate enrollment tokens via email, select Send token in an e-mail. You can customize the message if you desire to. Click OK to close out the Properties window.
    2. The next thing you will want to do is to configure the encryption algorithms that KMS will use. They are presented in the tables at the end of this article.
    3. The next step is to enroll users. Do this by, again, right-clicking on Key Manager and selecting All Tasks > Enroll Users. You can find users via a global address list or choose to display stores, servers, and administrative groups. If you will be enrolling only a small number of users, the first option is better. For enrolling a large number of users, use the second option. Make your selection and click OK to continue. In my example I am only going to enroll two users, as shown in Figure 4. After selecting the users, I click Enroll to finish this step. Click OK to confirm they have been enrolled.

Figure 4 – Enrolling users—in small numbers.

  1. At this point, the focus shifts over to the user. They complete the process to enroll in KMS as follows:
    1. Now the users will have an email in their inbox, as shown in Figure 5, with further directions on how to get their KMS issued certificate. After the user has completed the process, they will see a confirmation window as shown in Figure 6. Now they just have to wait for the certificate to be issued.

Figure 5 – The KMS sends out the enrollment token.

Figure 6 – The process is complete, now we wait for the request to be processed.

    1. After a short period of time, a new email will be received, as shown in Figure 7. The user will need to open the email by supplying the password they used when requesting the certificate. After entering their password and clicking OK, they will see a window as shown in Figure 8. Clicking Yes, entering the password again and then clicking OK will complete the process. The message from the Exchange server will be displayed and the certificate will be installed and ready for use.

Figure 7 – The Exchange server replies with the new certificate token.

Figure 8 – Installing the certificate into the root store.

    1. The users should then be instructed to configure their Outlook security settings as shown in Figure 9. Figure 10 shows the completed certificate, issued almost completely painlessly. Note the user’s password will be required each time they send or read secured messages.

Figure 9 – Configuring Outlook to use the new certificate.

Figure 10 – The newly issued certificate.

KMS caveats
Much the same as with Windows 2000 certificates, if a user loses their private key all is not lost. The process to recover a lost private key under KMS is actually simpler than in Windows 2000 (where you would need to get an Authorized Recovery Agent to do the dirty work). With the KMS, the KMS Administrator can simply recover a lost private key by right-clicking on Key Manager and selecting All Tasks > Recover Keys. From here you simply have to select the users whose keys need recovered. At this point, they will get an email from the Key Management Server (like in Figure 7) and will need to complete the steps outlined for the user as above.

KMS supports a variety of encryption algorithms that can be configured for your clients, as applicable, based on both your geographical location and the version of the Outlook client in use. These can be configured by right-clicking Encryption Configuration, selecting Properties and then changing to the Algorithms tab (shown in Figure 11). You have the following options available to you for use:

  • If you have users running Outlook 97 or older, select an algorithm under Microsoft Exchange 4.0/5.0 encryption:
Algorithm Description
DES (North America only) Data Encryption Standard. The default selection, DES, is a 56-bit strength algorithm used for content encryption.
CAST-64 (North America only) A 64-bit strength algorithm.
CAST-40 For use outside of North America. Similar to CAST-64, except that keys are only 40 bits long.
  • If you have users running Outlook 98 or later versions, select an algorithm under S/MIME encryption:
Algorithm Description
3DES (North America only) Known as “triple DES,” this is the strongest encryption available in Exchange and is the recommended option. It is the default encryption method for S/MIME.
DES (North America only) Data Encryption Standard. DES is a 56-bit strength algorithm used for content encryption.
RC2-128 (North America only) Provides keys that are 128-bits in length. Note that messages encrypted with 128-bit keys require more time and processing to decrypt.
RC2-40 For use outside of North America. Similar to RC2-128, except that keys are only 40 bits long.


Wrapping it up

Hopefully I’ve been able to show you the power, ease and flexibility that the Exchange 2000 Server Key Management Service can bring to your organization. Leveraging on the security and simplicity of management already existent in Windows 2000 Server, KMS is an ideal solution for maintaining security and confidentiality of your Exchange users email traffic.

Will Schmied
MCSE (Windows 2000)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top