Encryption Issue with Outlook, AD, Exchange

[Matt]

I have a user that no longer can open encrypted messages sent to her. She
can encrypt and send messages to other users, but when she receives an
encrypted message gets the error "Can't open this item. Your Digital ID name
can not be found by the underlying security system."

Outlook 2003, Exchange 2003, AD 2003.

I have generated a new certificate for the user, checked the Outlook
settings (the certificate shows up in Tools|Options|Security|Settings). I
have checked the userCertificate and userSMIME settings in AD. I have
created a contact both on the sender and the receiver (they are both in our
AD) with the corresponding user's certificate. I have tried publish to GAL
(and also cleared this setting). Nothing seems to work.

Any ideas?

Thanks!
Matt

 

[Brian Tillman [MVP - Outlook]]

I have a user that no longer can open encrypted messages sent to her. She
can encrypt and send messages to other users, but when she receives an
encrypted message gets the error "Can't open this item. Your Digital ID
name
can not be found by the underlying security system."

Outlook 2003, Exchange 2003, AD 2003.

I have generated a new certificate for the user,

Generating a new certificate may help future messages, but it won't be
retroactive to messages already received. Those messages were encrypted using
a public key from a different certificate, which also had a different private
key. Unless you have key recovery and regenerate the exact same certificate,
it won't help.

Click Start>Run and enter

certmgr.msc

in the Open field. Click Go. When the "Certificates" window appears, expand
"Personal" and select "Certificates". Is there more than one certificate
there (i.e., both the old and the new)? If so, Right-click the old
certificate, cloose All Tasks, and select Export. When the "Certificate
Export Wizard" opens, click Next. You should see two radio buttons there, one
that says "Yes, export the private key" and the other shoudl say "No, do not
export the private key". While the "No" option will be selected by default,
if the "Yes" option is grayed out and cannot be selected, you've found your
problem: the private key of the old certificate was lost or damaged and that's
why the crypto subsystem can't decrypt the message. With key recovery in your
PKI infrastructure you can regenerate the same certificate. Revoking the old
certificate and reissuing a new one, however, won't repair the damaged
certificate. You should, however, be able to decrypt future messages,
provided the senders get the new public key first.

 

[Matt]

There is only one certificate listed for her. We don't allow export of the
private key, so that is not an option. But I'm not worried about decrypting
the old encrypted messages, just letting her read new ones. But she can't
read any encrypted message that is sent for her.

We revoked her old certificate and isused a new one and the problem
persists. We checked to make sure all certificates were removed (Personal
store and AD (both the userCertificate field and the userSMIMECertificate
field)). I even checked all DCs to see if there was some sort of replication
problem.

The problem still exists, she can send encrypted e-mails without a problem,
but any e-mail sent to her she cannot read. We have even tried a different
computer (new Windows and Outlook profiles) and OWA.

It's very strange to me, I feel I'm overlooking something but can't seem to
think of what it is. When someone sends her an e-mail, they should be using
the certificate stored in AD. I've cleared it, let replication occur, and
generated a new one, which I then verify is listed in AD. But still, she
can't open it.

 

[Brian Tillman [MVP - Outlook]]

It's very strange to me, I feel I'm overlooking something but can't seem to
think of what it is. When someone sends her an e-mail, they should be using
the certificate stored in AD. I've cleared it, let replication occur, and
generated a new one, which I then verify is listed in AD. But still, she
can't open it.

I'm stumped.