Article ID: 2621062 - View products that this article applies to.
Consider the following scenarios.
Cannot open this item. Your Digital ID name cannot be found by the underlying security system
This message can't be decrypted because its encryption algorithm isn't supported or your digital ID can't be found. If you have a smart card-based digital ID, insert the card and try again to open the message.
This issue can occur if all the following conditions are true:
To work around this issue, use one of the following methods.
Use the Contacts feature. To do this, follow these steps:
Do not create distribution lists that contain members when those members span multiple Address Book policies.
In Exchange Server 2010 SP2, administrators can implement a new feature known as Address Book Policies. This feature lets administrators use a policy to define which Exchange objects a mailbox user can see. This policy is then evaluated by the Address Book Service on the Client Access Server when a mailbox user performs an Address Book query. If the object that is requested in the query does not match the scope that is defined for the policy, the mailbox user cannot see that object.
For Distribution Groups (DG), mailbox users may not see the whole membership of the group if the scope of their Address Book Policy does include all members of that group. The Address Book service in Exchange Server 2010 SP2 implements Named Service Provider Interface (NSPI) segregation. When the mail client tries to perform DL expansion and look up the public certificates for all members of the Distribution List, the mail client cannot see users who do not match the scope of its policy. Therefore, the mail client does not try to look up certificates for the users it cannot see.
After the message is sent, Hub Transport is not subject to Address Book Policies. Therefore, Transport can send the message to the actual membership of the Distribution List when Distribution List expansion is performed.
When you send to a Distribution List that contains members that you cannot see, Outlook and Outlook Web App cannot locate the recipient's certificate information in Active Directory Domain Services. Therefore, the certificate information is not used to encode the lockbox, and the recipient cannot locate the certificate and private key to decrypt the message.
When you use either of the methods that are listed in the "Workaround" section to encrypt email messages, the recipient can determine how to locate the certificate and private key for decrypting the message.
For more information about Address Book Policies, see the following topic from Microsoft TechNet online:
Understanding Address Book Policies