Encrypted emails

[Gladys Castillo]

I have userA that can send encrypted emails to userB and userB is able to
open them, but when the same userA sends an encrypted email to userC they are
not able to open. The weird part is when userB sends an encrypted email to
userC and they are able to open the encrypted email. Does anyone have any
suggestions on how I can resolve this. We are in an Exchange 2007 Sp1
environment, we had CA auto asign user certificates to all users. All users
have Outlook 2007. Any advice would be greatly appreciated.

 

[Brian Tillman [MVP - Outlook]]

I have userA that can send encrypted emails to userB and userB is able to
open them, but when the same userA sends an encrypted email to userC they
are
not able to open. The weird part is when userB sends an encrypted email to
userC and they are able to open the encrypted email. Does anyone have any
suggestions on how I can resolve this. We are in an Exchange 2007 Sp1
environment, we had CA auto asign user certificates to all users. All users
have Outlook 2007. Any advice would be greatly appreciated.

UserA doesn't have the correct public key for UserC. He has the correct
public key for UserB and UserB has the correct public key for UserC. Have
UserA remove any mention of UserC from the "Other People" section of his
crypto store, then send UserA his public key again.

 

[Gladys Castillo]

Hi Brian,
Sorry to ask this stupid question but how do I get to the crypto store?
Thanks for you prompt response.

Gladys

 

[Gladys Castillo]

Hi Brian,
I think I found it. Is it at the Certifactes mmc, then go to other people.
If that is that place i had the user check go there but there are no entries
at all. What I ended up doing is having both the users re-download Global
address list and that seems to have solved the problem. Thank you for your
input.

 

[Brian Tillman [MVP - Outlook]]

I think I found it. Is it at the Certifactes mmc, then go to other people.
If that is that place i had the user check go there but there are no
entries
at all. What I ended up doing is having both the users re-download Global
address list and that seems to have solved the problem. Thank you for your
input.

I'm glad you got it sorted.

 

[Gladys Castillo]

Hi Brian,
I still having some users continue to have the same problem even after we
re-download the GAL, do you have any other suggestions. BTW, both of these
users are on cached mode.

Thanks

 

[Gladys Castillo]

Brian,
Do you have any other suggestions. I even put the users on online mode and
they are still having problems with opening Encrypted emails. I am not sure
what else to do at this point. I was thinking of going online and purchasing
digital certs for all my users but not sure if this would solve my problem.
Have you seen this in other companies. We have a CA server that auto
enrolled all our users. When I go to Active Directory I can see that some of
the users have multiple certificates, could this also be causing the
problems. If I delete the older cert will they be unable to open their old
encrypted emails? I hope to hear from you soon. I am not sure how to
proceed at this point.

Gladys

 

[Brian Tillman [MVP-Outlook]]

Do you have any other suggestions. I even put the users on online mode and
they are still having problems with opening Encrypted emails. I am not sure
what else to do at this point. I was thinking of going online and
purchasing
digital certs for all my users but not sure if this would solve my problem.
Have you seen this in other companies. We have a CA server that auto
enrolled all our users. When I go to Active Directory I can see that some
of
the users have multiple certificates, could this also be causing the
problems. If I delete the older cert will they be unable to open their old
encrypted emails? I hope to hear from you soon. I am not sure how to
proceed at this point.

I don't think it's a good idea to delete older certs. If you do, then
anything encrypted with that cert will become unreadable.

Have one of the people having trouble open up his or her crypto store.
Start>Run>certmgr.msc. Have the person expand "Personal" and select
"Certificates", then select the certificate with the public key with which the
message was supposedly encrypted. Have the person click Action>All
Tasks>Export. When the Certificate Export Wizard appears, the person should
click Next. That should display an "Export Private Key" dialogue. You should
see two radio buttons, one labeled "Yes, export the private key" and the other
labeled "No, do not export the private key". The latter should be selected,
but the former should be selectable. If it is not, if it is grayed out, then
the certificate's private key is damaged and that's why the messages cannot be
unencrypted. The certificate will need to be recovered from your local
Private Key Infrastructure key recover facility.

 

[Gladys Castillo]

Hi Brian,
It looks like they do have damaged certs in the cert store. I went to check
the CA and found that there are several cert assigned to the same individual.
When I look on ther local personal cert manager, I only see three certs,
when I go to AD there are way more certs, closer to the number that is on the
CA, could this also be the problem, that their local personal cert is not the
one that other users are using, it is the one that is in active directory?
Would I need to get AD certs installed on their personal cert? What are your
thoughts on this?

Gladys

 

[Brian Tillman [MVP-Outlook]]

It looks like they do have damaged certs in the cert store. I went to check
the CA and found that there are several cert assigned to the same
individual.
When I look on ther local personal cert manager, I only see three certs,
when I go to AD there are way more certs, closer to the number that is on
the
CA, could this also be the problem, that their local personal cert is not
the
one that other users are using, it is the one that is in active directory?
Would I need to get AD certs installed on their personal cert? What are your
thoughts on this?

I don't know much about certs in the AD. I've managed a private key
infrastructure where people add certs to their individual PCs.