uscost
asked on
Digitally Signed Email Reading Outlook
I have users who are receiving Digitally Signed email which they cannot open. (This email is not Encrypted)
Error: "Can't Open Item. Your Digital ID name can not be found by the underlying security system"
This email can be opened and read when using Outlook Web Access. I have had the senders send me signed email to work with and the same issue. Tried with Outlook 2007 same issue. After reading tons of posts and tech pubs I have tried various things without any help.
We have a CA on our domain and I have have received a security certificate from it as well as getting a cert from a 3rd party. Tried all the settings that were suggested for the security settings in Outlook and used each of the Certificates, none helped.
Most helpful posts were pointing to setting up OWA but this is up and working fine.
Latest SP's and Patches on Exchange and Outlook. S/Mime checked on mailstore
Seems I am clueless about Digitally Singed email so setting this to Beginner level.
Error: "Can't Open Item. Your Digital ID name can not be found by the underlying security system"
This email can be opened and read when using Outlook Web Access. I have had the senders send me signed email to work with and the same issue. Tried with Outlook 2007 same issue. After reading tons of posts and tech pubs I have tried various things without any help.
We have a CA on our domain and I have have received a security certificate from it as well as getting a cert from a 3rd party. Tried all the settings that were suggested for the security settings in Outlook and used each of the Certificates, none helped.
Most helpful posts were pointing to setting up OWA but this is up and working fine.
Latest SP's and Patches on Exchange and Outlook. S/Mime checked on mailstore
Seems I am clueless about Digitally Singed email so setting this to Beginner level.
ASKER
1. We cannot view the certificate. I have check the sender and they seem to be setup correctly. Add digital sig, clear text and send cert all checked in Outlook.
I sent an email from another location using a Thawte Cert with the same results. Outlook just shows sender and subject info with error message as posted when you try to open. OWA opens message with this warning "This message has a digital signature, but it was not validated.".
I sent an email from another location using a Thawte Cert with the same results. Outlook just shows sender and subject info with error message as posted when you try to open. OWA opens message with this warning "This message has a digital signature, but it was not validated.".
Can you have them try sending the certificate (without private key) as an attachment in a zip file. That way you can make sure that you can view the cert ok and try installing it on one box.
Sounds like the error from Thawte is different. I would check the Details of the message for that one to see what it is complaining about as to why it would not validate it - name mismatch, expiration, or untrusted root. Thawte should normally be in your trusted root store already, so if it is an untrusted root message apply caution and verify the certificate thumbprint against the root certificate repository http://www.thawte.com/repository/. If it is expired double check date/time including time zones. If its a name mismatch then joe might have been using susie's cert, or joe's 2nd email account instead of the one listed in the cert.
Sounds like the error from Thawte is different. I would check the Details of the message for that one to see what it is complaining about as to why it would not validate it - name mismatch, expiration, or untrusted root. Thawte should normally be in your trusted root store already, so if it is an untrusted root message apply caution and verify the certificate thumbprint against the root certificate repository http://www.thawte.com/repository/. If it is expired double check date/time including time zones. If its a name mismatch then joe might have been using susie's cert, or joe's 2nd email account instead of the one listed in the cert.
ASKER
The Error messages from outlook and OWA are the same, no difference from the client sending email and my test email from another system. I will send the Cert (Thawte) from the other system and try to install on a box and post later.
ASKER
Zipped and sent the Cert. I am able to read the Cert and add it to a store. I can even add it to the Contact made for the test email account sender. Nothing changes in Outlook 2003 or 2007. I still am unable to open the email except in OWA.
I feel that I am missing something obvious about the setup on my end in Outlook or Exchange.
Digitally Singed email, I should be able to right-click the name, add to contacts view the Cert etc. If the email is not Encrypted what should stopped Outlook from viewing it?
I feel that I am missing something obvious about the setup on my end in Outlook or Exchange.
Digitally Singed email, I should be able to right-click the name, add to contacts view the Cert etc. If the email is not Encrypted what should stopped Outlook from viewing it?
If it is not able to validate the certificate then Outlook is acting like a traffic cop.
Have you checked this as a different recipient/different box?
Is there a "details" button or link that you can click on to get more information from the error message?
Does the email address sending it match the email address listed in the cert?
Have you checked this as a different recipient/different box?
Is there a "details" button or link that you can click on to get more information from the error message?
Does the email address sending it match the email address listed in the cert?
ASKER
3 different PC's, 3 different emails (Outlook 2003 and 2007 used). I know the one I used is correct for email address that is in the Cert. No other error information, nothing in any Event logs on PC's or Exchange. Setup is a simple 1 domain Exchange setup with default Outlook installs.
I still do not see why Outlook would stop me from viewing a digitally signed email that is not encrypted.
I still do not see why Outlook would stop me from viewing a digitally signed email that is not encrypted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All the post you provided Paranormastic and other information are all correct. Everything I look at says there is no reason to not open these emails. Tried with Virus software OFF, no Firewalls on PC. Sent to a different recipient same results. Pulled in the cert to the GAL no help. No information in the Exchange logs.
I need to find the place in the options that says 'check here to read digitally signed email" :)
Off for the Holidays so this goes to the back burning until Jan 5th.
I need to find the place in the options that says 'check here to read digitally signed email" :)
Off for the Holidays so this goes to the back burning until Jan 5th.
If there was an email portal that injects legal messages, etc., that would break the signature as the message would have been modified after signing. Another possibility is if it might be intercepting the message and holding it.
If it was just one cert I would say that it was corrupt and replace it with a new one.
Most of the articles relating to this message seem to be legacy issues where running xp/vista on a newer than exchange 2000 environment doesn't really apply to the published help out there from Microsoft, Verisign, and such.
The message verbiage would suggest an invalid matching email address that is being used to send, but it sounds like that that doesn't fit th bill either.
If you don't mind, what versions of things do you have running - server and client? Specifically relating to OS and email, including any email filters you might have giong on. I assume they are fairly current for patching.
Did this ever work and broke, or are your users just getting signed emails now where they didn't before for whatever reason? If it used to work, I would look at recent hotfixes and such as a possible culprit.
If it was just one cert I would say that it was corrupt and replace it with a new one.
Most of the articles relating to this message seem to be legacy issues where running xp/vista on a newer than exchange 2000 environment doesn't really apply to the published help out there from Microsoft, Verisign, and such.
The message verbiage would suggest an invalid matching email address that is being used to send, but it sounds like that that doesn't fit th bill either.
If you don't mind, what versions of things do you have running - server and client? Specifically relating to OS and email, including any email filters you might have giong on. I assume they are fairly current for patching.
Did this ever work and broke, or are your users just getting signed emails now where they didn't before for whatever reason? If it used to work, I would look at recent hotfixes and such as a possible culprit.
ASKER
OK, back working on this issue after the holidays.
XP SP3
Windows Server 2003 R2 SP1
Exchange 2003 Ver 6.5 SP2
Outlook 2003 SP3
All updated with latest patches.
TrendMicro Virus (Disable Client does not help)
Did a check of AD Policy and could find nothing of note (all seems to be default)
Will try laptop at home tonight via HTTP/RPC and VPN to see if issue follows.
Thanks for the help Paranormastic, I really want to solve this and then look back at how stupid I was.
XP SP3
Windows Server 2003 R2 SP1
Exchange 2003 Ver 6.5 SP2
Outlook 2003 SP3
All updated with latest patches.
TrendMicro Virus (Disable Client does not help)
Did a check of AD Policy and could find nothing of note (all seems to be default)
Will try laptop at home tonight via HTTP/RPC and VPN to see if issue follows.
Thanks for the help Paranormastic, I really want to solve this and then look back at how stupid I was.
Sounds good... I will look into this more on Monday .. my coffee just wasn't powerful enough today for this one!
Known issue
See MS kb 937581 for the hotfix and registry change needed to correct it
See MS kb 937581 for the hotfix and registry change needed to correct it
ASKER
thanks for the post chicaquan but unable to find that KB. Have a link for it?
Probably a typo... try checking this out - forget that its about CAC (common access cards) and apply to your situation - can probably disregard "Note 1" section, but read the rest of it.
http://www.saflink.com/support/kb/kb00086.htm
http://www.saflink.com/support/kb/kb00086.htm
(type in the kb #, not your issue :)
ASKER
Issue Solved.
After hurting my back and having a week of off time to think and work on this I found the problem to be the Firewall (Watchguard, in house before I got here). It took me some time since i never worked with Watchguard equipment.
The Firewall was blocking :
type "application/x-pkcs7-signa
After adding this to the SMTP allow the issue was resolved.
Thanks to Paranormastic for the help as he did point me in the correct direction (to learn about something I really did not want to know about :) He will get the points.
After hurting my back and having a week of off time to think and work on this I found the problem to be the Firewall (Watchguard, in house before I got here). It took me some time since i never worked with Watchguard equipment.
The Firewall was blocking :
type "application/x-pkcs7-signa
After adding this to the SMTP allow the issue was resolved.
Thanks to Paranormastic for the help as he did point me in the correct direction (to learn about something I really did not want to know about :) He will get the points.
ASKER
Thanks for the assist Paranormastic.
1. You can still view the digital signature, correct? Its just that outlook isn't taking it?
2. When you view the certificate, make sure it is not expired.
3. When you view the certificate, check the details tab and make note of the root certificate chain. If it only shows the one cert, then that is a problem - there should be a hierarchical tree shown with nothing with a red X.
Usually something will have shown up by this point.
4. You can try installing the public key of the certificate to your 'other people' certificate store.
5. When you view the certificate, check the Details tab and look for Key Usage and Enhanced Key Usage - see if there are listings for digital signatures.
6. Does this involve dig sigs from multiple people in multiple emails, or one person in multiple emails, or just this one email message? Your note above sounds like there are multiple senders, correct?
7. On the senders' end - have them verify that they have been sending to other folks without problems.
8. On the senders' end - make sure they don't have their signing cert dropped in for both signing and encrypting areas.
Lets go from here...