Encryption using wrong certificates

[Ian Morris]

I am running Outlook 2007 (in an exchange 2007 environment) on a desktop
running Vista x64. I have installed self-signed certificate. When I send a
signed email it is correctly signed with the users certificate that sent the
email.

However, if I encrypt an email, Outlook incorrectly encrypts it also with
the sending users certificate and NOT the recepients certificate. The result
is the recepient cannot read it but if the sender views their inbox, the
sender can read it. When checked (by clicking on the blue lock) it states
that it is encrypted with the certificate from the sender!

Any idea what is going on? It makes no difference whether the sending user
has the recepients certificate at all, outlook never asks for it. This issues
happens with all the user ids tested, could this be an issue with Exchange,
the offline address book or GAL?

I am completely stumped any ideas would be welcomed!

Thanks

Ian

 

[Brian Tillman [MVP - Outlook]]

I am running Outlook 2007 (in an exchange 2007 environment) on a desktop
running Vista x64. I have installed self-signed certificate. When I send a
signed email it is correctly signed with the users certificate that sent the
email.

However, if I encrypt an email, Outlook incorrectly encrypts it also with
the sending users certificate and NOT the recepients certificate.

If the recipient does not have a certificate, Outlook complains and asks if
you want to send it unencrypted. Please open your certificate store
(Start>Search>certmgr.msc) and expand the "Other People" folder, then click
Certificates under that. Examine the certs and check that the recipient
doesn't have an old, expired cert there.

 

[Ian Morris]

Thanks for the suggestion Brian, I have had a quick look and there do seem to
be some legacy certificates which I have now removed. One user now seems okay
another still gets the same issue, so it is looking a little more hopeful. I
think I need to systematically check, remove older certificates, re-issue etc
etc. Its getting late here now so I will have a stab tomorrow and let you
know the results.

I appreciate your help.

Kind regards

Ian

 

[Brian Tillman [MVP - Outlook]]

Thanks for the suggestion Brian, I have had a quick look and there do seem
to
be some legacy certificates which I have now removed. One user now seems
okay
another still gets the same issue, so it is looking a little more hopeful. I
think I need to systematically check, remove older certificates, re-issue
etc
etc. Its getting late here now so I will have a stab tomorrow and let you
know the results.

I'd also reload the recipient's current certificate again, just to make sure.

 

[Ian Morris]

Brian, I have done some testing and still not quite there.

I have deleted all personal and "Other People" Certificates for User1 and
User2.

I have checked that there is no reference to them in Outlook, trust center
(and Int Explorer)

I have deleted reference to each user in their respective Outlook Contacts
(although they still exist in the GAL and OAL).

I have created a new certificate for each user and that is referenced in
their respective Outlook Trust Center.

I sent a signed email from User1 to User2 - that worked fine, correct
certificate used
I saved the User1 contact to User2's Outlook Contacts.
I tried to end an Encrypted Email from User2 to User 1 - that failed, said
"no certificate for User2" - it should have been looking for user1
certificate.

I created a certificate for User2 and sent a signed email to User1 - that
worked
I saved it to outlook contacts of User1
I then sent an encrypted email from USer1 to User2 - that worked!

So it looks like I am now only having the issue with User2. I have
subsequently checked the certificate store of User2 and find: Under
"Personal", there is only 1 certificate and it is for User2 (correct); under
"Other People" there is only 1 certificate and it is for User1 (also correct)

Can you think of anything else I can check?

 

[Brian Tillman [MVP - Outlook]]

I sent a signed email from User1 to User2 - that worked fine, correct
certificate used
I saved the User1 contact to User2's Outlook Contacts.
I tried to end an Encrypted Email from User2 to User 1 - that failed, said
"no certificate for User2" - it should have been looking for user1
certificate.

I created a certificate for User2 and sent a signed email to User1 - that
worked
I saved it to outlook contacts of User1
I then sent an encrypted email from USer1 to User2 - that worked!

So it looks like I am now only having the issue with User2. I have
subsequently checked the certificate store of User2 and find: Under
"Personal", there is only 1 certificate and it is for User2 (correct); under
"Other People" there is only 1 certificate and it is for User1 (also
correct)

While everything sounds correct, justy for grins, on User2, open User2's
certificate in "Personal" and try to export it. On the second screen of the
wizard, there should be two radio buttons, one to export the private key and
one to not export it. The one to not export it should be selected, but the
other one should be active and selectable. Is it? If it is not, the privaye
key is damaged. If it is, then the cert should be OK. One last thing to
check - sometimes, for reasons I can't understand, the crypto store for a user
profile can get damaged Create a new User3 with User2's credentials and try
it from that Windows profile.

 

[Ian Morris]

Thanks Brian, yes I can export the certificate with the private key, no issue
there at all.

I can set up another id, when you say "with the same credentials" what
exactly do you mean, a straight copy of User2 with a different log on name
but using the same email account? Or do you mean another user and different
email account but with the same access rights?

Let me know and I will test that, I imagine if it is a new user etc it will
work since I already have one account that works. I guess there isnt a way I
can just rebuild the crypto store is there?

Thanks, Ian

 

[Brian Tillman [MVP - Outlook]]

I can set up another id, when you say "with the same credentials" what
exactly do you mean, a straight copy of User2 with a different log on name
but using the same email account? Or do you mean another user and different
email account but with the same access rights?

I mean give the same person a new Windows profile. Configure Outlook the same
as before.

 

[Ian Morris]

Brian

Just to let you know, it worked for User2...but I now have the same problem
for user1! However, given the difference it sounds like it might work. I
will, over the weekend refresh all the profiles, revoke the certificate,
re-issue them all and try again - things are a little manic at the moment to
do that. I will let you know if it doesn't work.

Thanks for your help, it really did help me get to the bottom of this.

Kind regards

Ian

 

[Ian Morris]

Brian

Just to let you know, it worked for User2...but I now have the same problem
for user1! However, given the difference it sounds like it might work. I
will, over the weekend refresh all the profiles, revoke the certificate,
re-issue them all and try again - things are a little manic at the moment to
do that. I will let you know if it doesn't work.

Thanks for your help, it really did help me get to the bottom of this.

Kind regards

Ian

 

[liucharl]

I am running Outlook 2007 (in an exchange 2007 environment) on a desktop
running Vista x64. I have installed self-signed certificate. When I send a
signed email it is correctly signed with the users certificate that sent the
email.

However, if I encrypt an email, Outlook incorrectly encrypts it also with
the sending users certificate and NOT the recepients certificate. The result
is the recepient cannot read it but if the sender views their inbox, the
sender can read it. When checked (by clicking on the blue lock) it states
that it is encrypted with the certificate from the sender!

Any idea what is going on? It makes no difference whether the sending user
has the recepients certificate at all, outlook never asks for it. This issues
happens with all the user ids tested, could this be an issue with Exchange,
the offline address book or GAL?

I am completely stumped any ideas would be welcomed!

Thanks

Ian

hi Ian,

I know this is a very old thread... I am wondering if you get to the bottomof this problem? I am facing the same issue with winxp outlook2003 and win7 outlook2007... they are acting the same way. if I delete the cache(autocomplete) email address, outlook encrypted the message with the recipient's certificate correctly. but after sending 3 more test email the same way, outlook encrypted the message with the sender's certificate instead of recipient's... I am running out of ideas.

any information would be appreciated.

--Charles