Outlook 2003 and S/MIME - wrong certificates used?

We're trying to roll out S/MIME using Certificate Services, Exchange 2007 and
Outlook 2003 - the last one is proving problematic.

If a person renews a certificate, then OWA continued to be able to send them
encrypted email fine, but Outlook 2003 doesn't pick up the new one. Hence,
user receives an encrypted message they cannot open (get the digital id not
found error).

We cannot find a reliable way to force the new key to be used;
clearing/resetting OAB and removing old key from AD works, as does not
working in cached mode; neither is practical for us.

Can't find a known error on this - has anyone seen this and got a solution?

Thanks,
--
Steve Durbin

Hi Steve,

Refer to the detail steps in the following Technet article to configure outlook to use your new digital certificate. And then test the issue.

How to Configure Outlook to Use a Digital Certificate
http://technet.microsoft.com/en-us/l...EXCHG.65).aspx

What is the result? If you receive any error message, please take a screen shot of the error message and send it to me at v-
. It is very important for us to resolve the issue more efficiently. Thanks for your cooperation and patience.

How to take a screen shot, please follow the steps below:
------------------------------------------------------------------
a. When screen shows up, press the Print Screen key (right of F12 key) Note: nothing will happen.
b. Open MS Paint program (click Start menu All Programs Accessories Paint).
c. Click Edit (menu) - Paste or press Ctrl + V.
d. Click File (menu) - Save. Save it as a *.jpg file and send it to me as an attachment.

If anything is unclear or if you have any other concerns, please don't hesitate to contact me.

Regards,

Emily Lin

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
================================================== ==
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
Thread-Topic: Outlook 2003 and S/MIME - wrong certificates used?
thread-index: AcjLEuqBxzSAk5paTSK2KTkK3PAz0A==
X-WBNR-Posting-Host: 65.55.21.8
From: =?Utf-8?B?U3RldmUgRHVyYmlu?=
Subject: Outlook 2003 and S/MIME - wrong certificates used?
Date: Tue, 10 Jun 2008 08:59:08 -0700
Lines: 17
Message-ID:
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
Newsgroups: microsoft.public.outlook.installation
Path: TK2MSFTNGHUB02.phx.gbl
Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.outlook.installation:15494
NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
X-Tomcat-NG: microsoft.public.outlook.installation

We're trying to roll out S/MIME using Certificate Services, Exchange 2007 and
Outlook 2003 - the last one is proving problematic.

If a person renews a certificate, then OWA continued to be able to send them
encrypted email fine, but Outlook 2003 doesn't pick up the new one. Hence,
user receives an encrypted message they cannot open (get the digital id not
found error).

We cannot find a reliable way to force the new key to be used;
clearing/resetting OAB and removing old key from AD works, as does not
working in cached mode; neither is practical for us.

Can't find a known error on this - has anyone seen this and got a solution?

Thanks,
--
Steve Durbin

""Emily Lin"" wrote:

Hi Steve,

Refer to the detail steps in the following Technet article to configure outlook to use your new digital certificate. And then test the issue.

How to Configure Outlook to Use a Digital Certificate
http://technet.microsoft.com/en-us/l...EXCHG.65).aspx


Already done that; however we have now found the error(s) and therefore how
to avoid it for the future! There are two problems:

1) The Active Directory email address is used to issue the keys, NOT the
default exchange email address as one would expect. If the two are not equal
you end up with a key that works to send but not to receive - the user can't
decrypt because Outlook looks for a key with the recipient email address and
fails to find it, giving the error noted in the first post.
2) Offline Address Book (OAB) keeps as default certificate the expired
certificate until a renewal is received. So, it may be used by senders
*after* expiry.

We found that you need to:

1) Ensure that UserSMIMECertificate is cleared in all accounts. It just
confuses things. Ban the Publish to GAL button!
2) When certs are renewed, do NOT remove old certs from AD. The old cert
continues to be used by senders until OAB has refreshed.
3) If recipient certificate expires, then OAB will still show expired
certificate as default until next refresh and users will either get errors in
encryption (portable) or send unreadable messages (OL2003). You have to wait
for OAB to be refreshed before things start working again. This suggests you
need to get users to renew well in advance of expiry.
4) Set the AD email address = default exchange email address. Powershell
one-liner to fix:

get-mailbox -resultsize:unlimited|where-object {$_.windowsemailaddress -ne
$_.primarysmtpaddress}|foreach-object { set-
mailbox $_ -windowsemailaddress:$_.primarysmtpaddress }

Cheers,
--
Steve Durbin

Hi Steve,

Thank you so much for the sharing information about how you fixed the issue. If you have any other questions or concerns, please do not
hesitate to contact us. It is always our pleasure to be of assistance.

Have a nice day!

Emily Lin,
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

================================================== ====
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Thread-Topic: Outlook 2003 and S/MIME - wrong certificates used?
thread-index: AcjL1g+tBTtu0WvjSmSaXDxJTAGHHQ==
X-WBNR-Posting-Host: 207.46.193.207
From: =?Utf-8?B?U3RldmUgRHVyYmlu?=
References:
Subject: Outlook 2003 and S/MIME - wrong certificates used?
Date: Wed, 11 Jun 2008 08:16:02 -0700
Lines: 44
Message-ID:
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
Newsgroups: microsoft.public.outlook.installation
Path: TK2MSFTNGHUB02.phx.gbl
Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.outlook.installation:15519
NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
X-Tomcat-NG: microsoft.public.outlook.installation

""Emily Lin"" wrote:

Hi Steve,

Refer to the detail steps in the following Technet article to configure outlook to use your new digital certificate. And then test the issue.

How to Configure Outlook to Use a Digital Certificate
http://technet.microsoft.com/en-us/l...EXCHG.65).aspx


Already done that; however we have now found the error(s) and therefore how
to avoid it for the future! There are two problems:

1) The Active Directory email address is used to issue the keys, NOT the
default exchange email address as one would expect. If the two are not equal
you end up with a key that works to send but not to receive - the user can't
decrypt because Outlook looks for a key with the recipient email address and
fails to find it, giving the error noted in the first post.
2) Offline Address Book (OAB) keeps as default certificate the expired
certificate until a renewal is received. So, it may be used by senders
*after* expiry.

We found that you need to:

1) Ensure that UserSMIMECertificate is cleared in all accounts. It just
confuses things. Ban the Publish to GAL button!
2) When certs are renewed, do NOT remove old certs from AD. The old cert
continues to be used by senders until OAB has refreshed.
3) If recipient certificate expires, then OAB will still show expired
certificate as default until next refresh and users will either get errors in
encryption (portable) or send unreadable messages (OL2003). You have to wait
for OAB to be refreshed before things start working again. This suggests you
need to get users to renew well in advance of expiry.
4) Set the AD email address = default exchange email address. Powershell
one-liner to fix:

get-mailbox -resultsize:unlimited|where-object {$_.windowsemailaddress -ne
$_.primarysmtpaddress}|foreach-object { set-
mailbox $_ -windowsemailaddress:$_.primarysmtpaddress }

Cheers,
--
Steve Durbin