Outlook continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure

Article translations Article translations
Article ID: 822504 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

After you migrate from Key Management Server (KMS) to Public Key Infrastructure (PKI), you cannot read e-mail messages that are sent by Microsoft Office Outlook 2003 or Microsoft Office Outlook 2007 users, but you can read e-mail messages that are sent by Outlook Web Access users (OWA).

Note This problem occurs if you remove your old KMS keys during the migration.

CAUSE

This problem occurs when you migrate from KMS to PKI. The PKI Windows Certification Authority publishes new certificates to the userCertificate attribute in Active Directory. However, the old certificates that were issued by KMS are still contained in the userSMIMECertificate attribute in Active Directory.

By default, both Outlook 2003 and Outlook 2007 search for a certificate in the userSMIMECertificate attribute in Active Directory first and then search in the userCertificate attribute in Active Directory second if a certificate is not found. In this situation, the Microsoft Outlook client will pick up the certificate that is found in the userSMIMECertificate attribute in Active Directory.

By default, Outlook Web Access (OWA) looks searches for a certificate in the userCertificate attribute in Active Directory first and then searches in the userSMIMECertificate attribute in Active Directory second if a certificate is not found.

RESOLUTION

Use one of the following methods to resolve this problem:
  • Verify that the client that is reading the e-mail message has the keys from both the userSMIMECertificate and the userCertificate attributes in Active Directory in the local certificate store.
  • Clean up the userSMIMECertificate attribute so that it contains the latest key (the key that is published to the userCertificate attribute).

    Users can use the Publish to GAL option to make sure that their new certificates are published in the directory. To do this, follow these steps:
    1. In Outlook, click Tools, click Options, and then click Security.
    2. Click Security Settings, and then verify that the digital ID that is required for publishing is configured. Click Choose to select the digital ID that is required for digital signature and encryption, and then click OK.
    3. Click Publish To GAL.
    Note Administrators can use the information that is in the "Appendix C: Digital Certificates Cleanup Script" chapter of the Exchange Server 2003 Message Security Guide to clean up the certificate entries in the directory. To obtain the "Appendix C: Digital Certificates Cleanup Script" chapter of the Exchange Server 2003 Message Security Guide, visit the following Microsoft Web site:
    http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx

Properties

Article ID: 822504 - Last Review: January 17, 2007 - Revision: 5.2
APPLIES TO
  • Microsoft Office Outlook 2003
  • Microsoft Office Outlook 2007
Keywords: 
kbprb kbpending KB822504

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com