Outlook continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure
After you migrate from Key Management Server (KMS) to Public Key Infrastructure (PKI), you cannot read e-mail messages that are sent by Microsoft Office Outlook 2003 or Microsoft Office Outlook 2007 users, but you can read e-mail messages that are sent by Outlook Web Access users (OWA).
Note This problem occurs if you remove your old KMS keys during the migration.
This problem occurs when you migrate from KMS to PKI. The PKI Windows Certification Authority publishes new certificates to the userCertificate attribute in Active Directory. However, the old certificates that were issued by KMS are still contained in the userSMIMECertificate attribute in Active Directory.
By default, both Outlook 2003 and Outlook 2007 search for a certificate in the userSMIMECertificate attribute in Active Directory first and then search in the userCertificate attribute in Active Directory second if a certificate is not found. In this situation, the Microsoft Outlook client will pick up the certificate that is found in the userSMIMECertificate attribute in Active Directory.
By default, Outlook Web Access (OWA) looks searches for a certificate in the userCertificate attribute in Active Directory first and then searches in the userSMIMECertificate attribute in Active Directory second if a certificate is not found.
Use one of the following methods to resolve this problem:
- Verify that the client that is reading the e-mail message has the keys from both the userSMIMECertificate and the userCertificate attributes in Active Directory in the local certificate store.
- Clean up the userSMIMECertificate attribute so that it contains the latest key (the key that is published to the userCertificate attribute).
Users can use the Publish to GAL option to make sure that their new certificates are published in the directory. To do this, follow these steps:
- In Outlook, click Tools, click Options, and then click Security.
- Click Security Settings, and then verify that the digital ID that is required for publishing is configured. Click Choose to select the digital ID that is required for digital signature and encryption, and then click OK.
- Click Publish To GAL.
Article ID: 822504 - Last Review: 01/17/2007 21:15:24 - Revision: 5.2
Microsoft Office Outlook 2003, Microsoft Office Outlook 2007
- kbprb kbpending KB822504