I have users who are receiving Digitally Signed email which they cannot open. (This email is not Encrypted)
Error: "Can't Open Item. Your Digital ID name can not be found by the underlying security system"
This email can be opened and read when using Outlook Web Access. I have had the senders send me signed email to work with and the same issue. Tried with Outlook 2007 same issue. After reading tons of posts and tech pubs I have tried various things without any help.
We have a CA on our domain and I have have received a security certificate from it as well as getting a cert from a 3rd party. Tried all the settings that were suggested for the security settings in Outlook and used each of the Certificates, none helped.
Most helpful posts were pointing to setting up OWA but this is up and working fine.
Latest SP's and Patches on Exchange and Outlook. S/Mime checked on mailstore
Seems I am clueless about Digitally Singed email so setting this to Beginner level.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
1. We cannot view the certificate. I have check the sender and they seem to be setup correctly. Add digital sig, clear text and send cert all checked in Outlook.
I sent an email from another location using a Thawte Cert with the same results. Outlook just shows sender and subject info with error message as posted when you try to open. OWA opens message with this warning "This message has a digital signature, but it was not validated.".
Can you have them try sending the certificate (without private key) as an attachment in a zip file. That way you can make sure that you can view the cert ok and try installing it on one box.
Sounds like the error from Thawte is different. I would check the Details of the message for that one to see what it is complaining about as to why it would not validate it - name mismatch, expiration, or untrusted root. Thawte should normally be in your trusted root store already, so if it is an untrusted root message apply caution and verify the certificate thumbprint against the root certificate repository http://www.thawte.com/repo
Zipped and sent the Cert. I am able to read the Cert and add it to a store. I can even add it to the Contact made for the test email account sender. Nothing changes in Outlook 2003 or 2007. I still am unable to open the email except in OWA.
I feel that I am missing something obvious about the setup on my end in Outlook or Exchange.
Digitally Singed email, I should be able to right-click the name, add to contacts view the Cert etc. If the email is not Encrypted what should stopped Outlook from viewing it?
If it is not able to validate the certificate then Outlook is acting like a traffic cop.
Have you checked this as a different recipient/different box?
Is there a "details" button or link that you can click on to get more information from the error message?
Does the email address sending it match the email address listed in the cert?
3 different PC's, 3 different emails (Outlook 2003 and 2007 used). I know the one I used is correct for email address that is in the Cert. No other error information, nothing in any Event logs on PC's or Exchange. Setup is a simple 1 domain Exchange setup with default Outlook installs.
I still do not see why Outlook would stop me from viewing a digitally signed email that is not encrypted.
I assume the process is the same as is outlined here:
http://www.grapho-lock.com
I am starting to wonder if there might be something else interfering. For your antivirus software, it is one of those personal protection suites or just AV? By this I mean, does it have AV, personal firewall, anti-malware, and 'other' protection features? If so, I would sift through that or disable for testing...
You're not running an older version of Exchange are you? If so this might apply... http://support.microsoft.c
If these all exist in your AD, you can try publishing to GAL - you will need to View - Advanced Features in AD Users/Computers to get the tab for the user and then select teh Published Certificates tab and use the button to import the associated cert.
To look at things from another end - I assume the test email was simple text and no attachments, just the signature? Sometimes this can happen if part of the message or attachment gets corrupted or truncated. You could try checking the Exchange logs and see if there is anything that jumps out.
Also, check this link out, particularily the last two entries, but skim the rest as well:
http://social.technet.micr
All the post you provided Paranormastic and other information are all correct. Everything I look at says there is no reason to not open these emails. Tried with Virus software OFF, no Firewalls on PC. Sent to a different recipient same results. Pulled in the cert to the GAL no help. No information in the Exchange logs.
I need to find the place in the options that says 'check here to read digitally signed email" :)
Off for the Holidays so this goes to the back burning until Jan 5th.
If there was an email portal that injects legal messages, etc., that would break the signature as the message would have been modified after signing. Another possibility is if it might be intercepting the message and holding it.
If it was just one cert I would say that it was corrupt and replace it with a new one.
Most of the articles relating to this message seem to be legacy issues where running xp/vista on a newer than exchange 2000 environment doesn't really apply to the published help out there from Microsoft, Verisign, and such.
The message verbiage would suggest an invalid matching email address that is being used to send, but it sounds like that that doesn't fit th bill either.
If you don't mind, what versions of things do you have running - server and client? Specifically relating to OS and email, including any email filters you might have giong on. I assume they are fairly current for patching.
Did this ever work and broke, or are your users just getting signed emails now where they didn't before for whatever reason? If it used to work, I would look at recent hotfixes and such as a possible culprit.
OK, back working on this issue after the holidays.
XP SP3
Windows Server 2003 R2 SP1
Exchange 2003 Ver 6.5 SP2
Outlook 2003 SP3
All updated with latest patches.
TrendMicro Virus (Disable Client does not help)
Did a check of AD Policy and could find nothing of note (all seems to be default)
Will try laptop at home tonight via HTTP/RPC and VPN to see if issue follows.
Thanks for the help Paranormastic, I really want to solve this and then look back at how stupid I was.
Probably a typo... try checking this out - forget that its about CAC (common access cards) and apply to your situation - can probably disregard "Note 1" section, but read the rest of it.
http://www.saflink.com/sup
Issue Solved.
After hurting my back and having a week of off time to think and work on this I found the problem to be the Firewall (Watchguard, in house before I got here). It took me some time since i never worked with Watchguard equipment.
The Firewall was blocking :
type "application/x-pkcs7-signa
After adding this to the SMTP allow the issue was resolved.
Thanks to Paranormastic for the help as he did point me in the correct direction (to learn about something I really did not want to know about :) He will get the points.
Business Accounts
Answer for Membership
by: ParanormasticPosted on 2008-12-17 at 10:53:31ID: 23196672
Lets step through this one...
1. You can still view the digital signature, correct? Its just that outlook isn't taking it?
2. When you view the certificate, make sure it is not expired.
3. When you view the certificate, check the details tab and make note of the root certificate chain. If it only shows the one cert, then that is a problem - there should be a hierarchical tree shown with nothing with a red X.
Usually something will have shown up by this point.
4. You can try installing the public key of the certificate to your 'other people' certificate store.
5. When you view the certificate, check the Details tab and look for Key Usage and Enhanced Key Usage - see if there are listings for digital signatures.
6. Does this involve dig sigs from multiple people in multiple emails, or one person in multiple emails, or just this one email message? Your note above sounds like there are multiple senders, correct?
7. On the senders' end - have them verify that they have been sending to other folks without problems.
8. On the senders' end - make sure they don't have their signing cert dropped in for both signing and encrypting areas.
Lets go from here...