If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Outlook 2003 and S/MIME - wrong certificates used?
We're trying to roll out S/MIME using Certificate Services, Exchange 2007 and
Outlook 2003 - the last one is proving problematic. If a person renews a certificate, then OWA continued to be able to send them encrypted email fine, but Outlook 2003 doesn't pick up the new one. Hence, user receives an encrypted message they cannot open (get the digital id not found error). We cannot find a reliable way to force the new key to be used; clearing/resetting OAB and removing old key from AD works, as does not working in cached mode; neither is practical for us. Can't find a known error on this - has anyone seen this and got a solution? Thanks, -- Steve Durbin |
#2
|
|||
|
|||
Outlook 2003 and S/MIME - wrong certificates used?
Hi Steve,
Refer to the detail steps in the following Technet article to configure outlook to use your new digital certificate. And then test the issue. How to Configure Outlook to Use a Digital Certificate http://technet.microsoft.com/en-us/l...EXCHG.65).aspx What is the result? If you receive any error message, please take a screen shot of the error message and send it to me at v- . It is very important for us to resolve the issue more efficiently. Thanks for your cooperation and patience. How to take a screen shot, please follow the steps below: ------------------------------------------------------------------ a. When screen shows up, press the Print Screen key (right of F12 key) Note: nothing will happen. b. Open MS Paint program (click Start menu All Programs Accessories Paint). c. Click Edit (menu) - Paste or press Ctrl + V. d. Click File (menu) - Save. Save it as a *.jpg file and send it to me as an attachment. If anything is unclear or if you have any other concerns, please don't hesitate to contact me. Regards, Emily Lin Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ================================================== == When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== == This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- Thread-Topic: Outlook 2003 and S/MIME - wrong certificates used? thread-index: AcjLEuqBxzSAk5paTSK2KTkK3PAz0A== X-WBNR-Posting-Host: 65.55.21.8 From: =?Utf-8?B?U3RldmUgRHVyYmlu?= Subject: Outlook 2003 and S/MIME - wrong certificates used? Date: Tue, 10 Jun 2008 08:59:08 -0700 Lines: 17 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Utf-8" Content-Transfer-Encoding: 7bit X-Newsreader: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 Newsgroups: microsoft.public.outlook.installation Path: TK2MSFTNGHUB02.phx.gbl Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.outlook.installation:15494 NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149 X-Tomcat-NG: microsoft.public.outlook.installation We're trying to roll out S/MIME using Certificate Services, Exchange 2007 and Outlook 2003 - the last one is proving problematic. If a person renews a certificate, then OWA continued to be able to send them encrypted email fine, but Outlook 2003 doesn't pick up the new one. Hence, user receives an encrypted message they cannot open (get the digital id not found error). We cannot find a reliable way to force the new key to be used; clearing/resetting OAB and removing old key from AD works, as does not working in cached mode; neither is practical for us. Can't find a known error on this - has anyone seen this and got a solution? Thanks, -- Steve Durbin |
#3
|
|||
|
|||
Outlook 2003 and S/MIME - wrong certificates used?
""Emily Lin"" wrote:
Hi Steve, Refer to the detail steps in the following Technet article to configure outlook to use your new digital certificate. And then test the issue. How to Configure Outlook to Use a Digital Certificate http://technet.microsoft.com/en-us/l...EXCHG.65).aspx Already done that; however we have now found the error(s) and therefore how to avoid it for the future! There are two problems: 1) The Active Directory email address is used to issue the keys, NOT the default exchange email address as one would expect. If the two are not equal you end up with a key that works to send but not to receive - the user can't decrypt because Outlook looks for a key with the recipient email address and fails to find it, giving the error noted in the first post. 2) Offline Address Book (OAB) keeps as default certificate the expired certificate until a renewal is received. So, it may be used by senders *after* expiry. We found that you need to: 1) Ensure that UserSMIMECertificate is cleared in all accounts. It just confuses things. Ban the Publish to GAL button! 2) When certs are renewed, do NOT remove old certs from AD. The old cert continues to be used by senders until OAB has refreshed. 3) If recipient certificate expires, then OAB will still show expired certificate as default until next refresh and users will either get errors in encryption (portable) or send unreadable messages (OL2003). You have to wait for OAB to be refreshed before things start working again. This suggests you need to get users to renew well in advance of expiry. 4) Set the AD email address = default exchange email address. Powershell one-liner to fix: get-mailbox -resultsize:unlimited|where-object {$_.windowsemailaddress -ne $_.primarysmtpaddress}|foreach-object { set- mailbox $_ -windowsemailaddress:$_.primarysmtpaddress } Cheers, -- Steve Durbin |
#4
|
|||
|
|||
Outlook 2003 and S/MIME - wrong certificates used?
Hi Steve,
Thank you so much for the sharing information about how you fixed the issue. If you have any other questions or concerns, please do not hesitate to contact us. It is always our pleasure to be of assistance. Have a nice day! Emily Lin, Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ================================================== ==== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from this issue. ================================================== ==== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- Thread-Topic: Outlook 2003 and S/MIME - wrong certificates used? thread-index: AcjL1g+tBTtu0WvjSmSaXDxJTAGHHQ== X-WBNR-Posting-Host: 207.46.193.207 From: =?Utf-8?B?U3RldmUgRHVyYmlu?= References: Subject: Outlook 2003 and S/MIME - wrong certificates used? Date: Wed, 11 Jun 2008 08:16:02 -0700 Lines: 44 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Utf-8" Content-Transfer-Encoding: 7bit X-Newsreader: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992 Newsgroups: microsoft.public.outlook.installation Path: TK2MSFTNGHUB02.phx.gbl Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.outlook.installation:15519 NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148 X-Tomcat-NG: microsoft.public.outlook.installation ""Emily Lin"" wrote: Hi Steve, Refer to the detail steps in the following Technet article to configure outlook to use your new digital certificate. And then test the issue. How to Configure Outlook to Use a Digital Certificate http://technet.microsoft.com/en-us/l...EXCHG.65).aspx Already done that; however we have now found the error(s) and therefore how to avoid it for the future! There are two problems: 1) The Active Directory email address is used to issue the keys, NOT the default exchange email address as one would expect. If the two are not equal you end up with a key that works to send but not to receive - the user can't decrypt because Outlook looks for a key with the recipient email address and fails to find it, giving the error noted in the first post. 2) Offline Address Book (OAB) keeps as default certificate the expired certificate until a renewal is received. So, it may be used by senders *after* expiry. We found that you need to: 1) Ensure that UserSMIMECertificate is cleared in all accounts. It just confuses things. Ban the Publish to GAL button! 2) When certs are renewed, do NOT remove old certs from AD. The old cert continues to be used by senders until OAB has refreshed. 3) If recipient certificate expires, then OAB will still show expired certificate as default until next refresh and users will either get errors in encryption (portable) or send unreadable messages (OL2003). You have to wait for OAB to be refreshed before things start working again. This suggests you need to get users to renew well in advance of expiry. 4) Set the AD email address = default exchange email address. Powershell one-liner to fix: get-mailbox -resultsize:unlimited|where-object {$_.windowsemailaddress -ne $_.primarysmtpaddress}|foreach-object { set- mailbox $_ -windowsemailaddress:$_.primarysmtpaddress } Cheers, -- Steve Durbin |
Thread Tools | |
Display Modes | |
|
|