Outlook had problems encrypting this message because of missing or invalid certificates, conflicting or unsupported encryption capabilities
I am testing Certificate Services in my lab and have setup an Enterprise CA with a subordinate CA for issuing certificates within our Active Directory Domain. The first time I did this, I did like the generic name I gave the Root CA, so I uninstalled the Certificate Services from both domain controllers and reinstalled after rebooting. The result is that I have an Enterprise CA with 1 subordinate CA for issuing certificates.
I have two test clients running Outlook 2000 (SP3) with Exchange 5.5 (SP4) employing SMTP services for Internet Mail. Mail, etc has all worked fine. I had both of these clients obtain a certificate via the subordinate CA which was successful. I am now able to send e-mail with a digital ID to Exchange Users and Internet mail users. However, when I select the option to "Encrypt contents and attachments for outgoing messages" from the security options on the Outlook clients, it fails.
When an e-mail is composed and then sent a message pops up stating: "Microsoft Outlook had problems encrypting this message because the following recipients had missing on invalid certificates, or conflicting or unsupported encryption capabilities". There are 4 option buttons at the bottom of the message which are: "Send Unencrypted", "Continue", "Cancel" and "Help". The "Continue" bottom is dimmed and cannot be selected. I have looked at the "Help" but it is not specific enough.
I checked TechNet and got KB835703 and applied it but it has not helped. What else am I missing or not doing correctly? Thanks for any advice.
I have two test clients running Outlook 2000 (SP3) with Exchange 5.5 (SP4) employing SMTP services for Internet Mail. Mail, etc has all worked fine. I had both of these clients obtain a certificate via the subordinate CA which was successful. I am now able to send e-mail with a digital ID to Exchange Users and Internet mail users. However, when I select the option to "Encrypt contents and attachments for outgoing messages" from the security options on the Outlook clients, it fails.
When an e-mail is composed and then sent a message pops up stating: "Microsoft Outlook had problems encrypting this message because the following recipients had missing on invalid certificates, or conflicting or unsupported encryption capabilities". There are 4 option buttons at the bottom of the message which are: "Send Unencrypted", "Continue", "Cancel" and "Help". The "Continue" bottom is dimmed and cannot be selected. I have looked at the "Help" but it is not specific enough.
I checked TechNet and got KB835703 and applied it but it has not helped. What else am I missing or not doing correctly? Thanks for any advice.
ASKER
I looked over this one quickly and didn't read it. However, after looking at it, I don't understand how to perform the workaround. This is very vague. I look at the properties in Exchange admin for the mailbox and find nothing pertaining to properties for Tagged-X509certs, X509-certs or User-certs. Where would these options be set or modified?
Well, I don't know if that is the issue, or if this will help. If not, hopefully someone can point you in the right direction or someone from the Exchange area:
To configure Exchange Key Management Server to use the issuing CA for its X.509.3 certificates
1.
Click Start, point to Programs, point to Microsoft Exchange, and then click Microsoft Exchange Administrator.
2.
On the Key Management Server Exchange Server site node, click Configuration, and in the details pane, double-click CA to open the CA Properties dialog box.
3.
In the Key Management Server Password dialog box, in KM Server password, type a password (the temporary default password), select the Remember this password for up to 5 minutes check box, and then click OK to open the CA Properties dialog box.
4.
On the Administrator tab, select Change My KM Server Password.
5.
In Current, type a password (the temporary default password) and then type a new personal password, and verify it.
6.
On the Enrollment tab, select the Allow e-mail to be sent to the user check box, and then click Issue X.509 V3 certificates only.
7.
At the warning message, click OK.
8.
In the Key Management Server Configuration dialog box, select the issuing CA as the Certificate Server that the Key Management Server can use to issue certificates, click OK, and then click OK to close the CA Properties dialog box.
9.
Next, add the Tagged-X.509-Cert attribute for all users in this site. On the Key Management Server Exchange Server site node, click Configuration, and in the details pane, double-click DS Site Configuration to open the DS Site Configuration Properties dialog box.
10.
On the Attributes tab, under Configure, select Anonymous requests. Under Show attributes for, select All mail recipients, and select the Tagged-X509-Cert attribute check box. Repeat this for Authenticated requests and inter-site replication, and then click OK.
To enable a user for advanced security
1.
Create a mailbox in Microsoft Exchange Administrator, attach it to one of the users on the domain or create a new user, and then double-click the user's mailbox to see its properties.
2.
On the Security tab, click Enable Advanced Security, and then click Send Enrollment Message. In the Microsoft Exchange Administrator dialog box that displays the advanced security temporary key, click OK. Then, click OK again.
Note: The enrollment message is sent to the specified user and contains the advanced security temporary key and instructions on how to set up advanced security in Outlook 98 or Outlook 2000.
To set up advanced security in Outlook® 98 or Outlook 2000
1.
On the Tools menu, click Options.
2.
On the Security tab, click Get a Digital ID.
3.
Click Set up Security for me on the Exchange Server, and then click OK.
4.
In the Setup Advanced Security dialog box, in Digital ID Name, type a name to use for the Digital ID. In the Token text box, type the advanced security temporary key, and then click OK.
5.
In the Microsoft Outlook Security Password dialog box, in the Password text box, type a password to protect your Digital ID, confirm it, and then click OK. Click OK again. This password will be needed whenever you receive encrypted e-mail.
http://www.microsoft.com/technet/prodtechnol/exchange/55/maintain/pkiexchg.mspx
To configure Exchange Key Management Server to use the issuing CA for its X.509.3 certificates
1.
Click Start, point to Programs, point to Microsoft Exchange, and then click Microsoft Exchange Administrator.
2.
On the Key Management Server Exchange Server site node, click Configuration, and in the details pane, double-click CA to open the CA Properties dialog box.
3.
In the Key Management Server Password dialog box, in KM Server password, type a password (the temporary default password), select the Remember this password for up to 5 minutes check box, and then click OK to open the CA Properties dialog box.
4.
On the Administrator tab, select Change My KM Server Password.
5.
In Current, type a password (the temporary default password) and then type a new personal password, and verify it.
6.
On the Enrollment tab, select the Allow e-mail to be sent to the user check box, and then click Issue X.509 V3 certificates only.
7.
At the warning message, click OK.
8.
In the Key Management Server Configuration dialog box, select the issuing CA as the Certificate Server that the Key Management Server can use to issue certificates, click OK, and then click OK to close the CA Properties dialog box.
9.
Next, add the Tagged-X.509-Cert attribute for all users in this site. On the Key Management Server Exchange Server site node, click Configuration, and in the details pane, double-click DS Site Configuration to open the DS Site Configuration Properties dialog box.
10.
On the Attributes tab, under Configure, select Anonymous requests. Under Show attributes for, select All mail recipients, and select the Tagged-X509-Cert attribute check box. Repeat this for Authenticated requests and inter-site replication, and then click OK.
To enable a user for advanced security
1.
Create a mailbox in Microsoft Exchange Administrator, attach it to one of the users on the domain or create a new user, and then double-click the user's mailbox to see its properties.
2.
On the Security tab, click Enable Advanced Security, and then click Send Enrollment Message. In the Microsoft Exchange Administrator dialog box that displays the advanced security temporary key, click OK. Then, click OK again.
Note: The enrollment message is sent to the specified user and contains the advanced security temporary key and instructions on how to set up advanced security in Outlook 98 or Outlook 2000.
To set up advanced security in Outlook® 98 or Outlook 2000
1.
On the Tools menu, click Options.
2.
On the Security tab, click Get a Digital ID.
3.
Click Set up Security for me on the Exchange Server, and then click OK.
4.
In the Setup Advanced Security dialog box, in Digital ID Name, type a name to use for the Digital ID. In the Token text box, type the advanced security temporary key, and then click OK.
5.
In the Microsoft Outlook Security Password dialog box, in the Password text box, type a password to protect your Digital ID, confirm it, and then click OK. Click OK again. This password will be needed whenever you receive encrypted e-mail.
http://www.microsoft.com/technet/prodtechnol/exchange/55/maintain/pkiexchg.mspx
ASKER
I discovered that I did not have the KEY Management Server installed on my Exchnage Server. I have installed it, run SP4 and the service will not start. I have entered the KEY Management password given at the time of setup but it still won't start. Do I need to unistall the CA for and get the KEY manange management piece working first? What gives?
>>> but it still won't start
What is the error message or event log id and source?
What is the error message or event log id and source?
ASKER
Removed it from my Primary Exchange Server and installed it onto my second server which is running the IMS and other user accounts. Finally got it going but not without headaches. Created the KM Password to start the service by using the floppy disk methon. Finally when I got into Exchange to the CA object you are talking about, I could not get in with any password until I looked at the help and it stated that if this was the first time in the password was "password". GEEZZZZZZZZZZ!!!!!!
I wouldn't be so frustrated if I could just get my hands on complete documentation instead of piecing white papers together that were probably written by several different authors who didn't take the time to make sure their information dovetailed together. ( I digress).
At any rate, I will work on what you stated and reply back ASAP.
I wouldn't be so frustrated if I could just get my hands on complete documentation instead of piecing white papers together that were probably written by several different authors who didn't take the time to make sure their information dovetailed together. ( I digress).
At any rate, I will work on what you stated and reply back ASAP.
Well, yes frustrating, but I read through the MS white paper in the link above and it seemed more or less complete. Good luck :)
ASKER
Read so fast I missed the white paper. Shame on me.
ASKER
O.K. Read the white paper and followed it to the letter. Now, a new error. When I attempt to follow the steps on enrollement (step 8) of the instructions for installing Exchange Key Management Server on the issuing CA, I select the subordinate CA. I am then greeted with a warm message stating "The Key Management Server Database operation failed. Microsoft Exchange Administrator ID No: c1031d9f".
Checking Technet I found Microsoft Knowledge Base Article - 218802 that appears to be alluding to an invalid character in my company name (perhaps it is the ampersand I used in the company name of Hopkins & Associates instead of Hopkins and Associates). The technet article does not send me to a fix but tells me I have to contact Microsoft directly and pay for support. What kind of angle is this? Where did they inform me that using an ampersand in my company name would cause any problems with Exchange?
The only thing in the event viewer is the following warning.
Certificate Services denied request 10 because The request contains no certificate template information. 0x80094801 (-2146875391). The request was for CN=Certificate Authority, OU=COHIBA, O=Hopkins & Associates, C=US. Additional information: Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute.
Not a very happy camper at the moment.
Checking Technet I found Microsoft Knowledge Base Article - 218802 that appears to be alluding to an invalid character in my company name (perhaps it is the ampersand I used in the company name of Hopkins & Associates instead of Hopkins and Associates). The technet article does not send me to a fix but tells me I have to contact Microsoft directly and pay for support. What kind of angle is this? Where did they inform me that using an ampersand in my company name would cause any problems with Exchange?
The only thing in the event viewer is the following warning.
Certificate Services denied request 10 because The request contains no certificate template information. 0x80094801 (-2146875391). The request was for CN=Certificate Authority, OU=COHIBA, O=Hopkins & Associates, C=US. Additional information: Denied by Policy Module The request does not contain a certificate template extension or the CertificateTemplate request attribute.
Not a very happy camper at the moment.
There is a workaround in the KB 218802. Did you give that a whirl?
I also found this:
"KM Server Reports c1031d9f
This error message occurs if the CA server is running in a domain that is different from the domain of the KM server and the fix that is described in Knowledge Base article 262288 is not applied on the Windows 2000 server where Exchange Server 5.5 KM server is running. To resolve this problem, install the fix that is described in 262288." Is that applicable as I don't see where you said the OS?
I also found this:
"KM Server Reports c1031d9f
This error message occurs if the CA server is running in a domain that is different from the domain of the KM server and the fix that is described in Knowledge Base article 262288 is not applied on the Windows 2000 server where Exchange Server 5.5 KM server is running. To resolve this problem, install the fix that is described in 262288." Is that applicable as I don't see where you said the OS?
ASKER
I attempted to apply Workaround in KB218802 but there was no registry entry for "Subject Name Separator". I don't see how this could be the problem. KB262288 applies to W2K running in an NT4 Domain which is not the case (sorry I didn't clarify that earlier. I still don't have any answers.
In the meantime, I have setup a mirrored Exchange Server except I have replaced the "&" with the word "and" in my company name. I have successfully been able to send mail back and forth to the test site, but this requires changing the routing information under the SMTP Virtual Server | Domains | Remote Domain Name | General | Route Domain properties to point to this Exchange Server running the IMS. I don't want to have to do this but I don't have any more clues as to why the Key Management Server is failing to work with CA.
To recap my enviornment:
W2K Active Directory Domain running in native mode (SP4)
2 domain controllers both running Exchange 5.5 with (SP4)
Exchange 5.5 Internet Mail Service is running on the secondary domain controller
IIS 5.0 with SMTP services running on primary domain controller relaying Internet Mail to Internet Mail Service on secondary domain controller.
Certificate Server Root is on the primary domain controller (Operations Master)
Subordinate CA is on the secondary domain controller.
In the meantime, I have setup a mirrored Exchange Server except I have replaced the "&" with the word "and" in my company name. I have successfully been able to send mail back and forth to the test site, but this requires changing the routing information under the SMTP Virtual Server | Domains | Remote Domain Name | General | Route Domain properties to point to this Exchange Server running the IMS. I don't want to have to do this but I don't have any more clues as to why the Key Management Server is failing to work with CA.
To recap my enviornment:
W2K Active Directory Domain running in native mode (SP4)
2 domain controllers both running Exchange 5.5 with (SP4)
Exchange 5.5 Internet Mail Service is running on the secondary domain controller
IIS 5.0 with SMTP services running on primary domain controller relaying Internet Mail to Internet Mail Service on secondary domain controller.
Certificate Server Root is on the primary domain controller (Operations Master)
Subordinate CA is on the secondary domain controller.
Wow, I guess the & was the cause :( No other hiccups then using the "and" mirrored ES?
ASKER
Sorry but the "and" did not fix the problem. Same error message as before. This can't be the problem. I am going to re-apply SP4 to the W2K servers. I didn't before when I installed the Certificate Services because I had slipstreamed the installation directory so that I would not have to re-apply Service Packs whenever I added a service. Perhaps this shot gun affec will solve the problem. I can't understand why there is no previous issue on this.
ASKER
By the way, what is the difference between the Exchange E-mail security feature for mailboxes and Certificate Services. Actually I believe I understand but it appears that you don't need to have Certificate Services in order to setup Secure E-mail with Exchange. Is this correct?
In that white paper, it does say to install the SP after the KMS is installed.
ASKER
Discovered that I was missing expolicy.dll. However, the white paper is a process for Exchange 5.5 in an NT4 Domain that is later upgraded to Active Directory. The part I missed was with expolcy.dll. However, in the Exchange SP4 Support folder, the are two folder for KMS. One is for NT4 and the other is W2K. Wouldn't I use the expolw2k.dll file instead of expolicy.dll since I am already in Active Directory?
I have no idea.
Here's whitepaper that may help as well, read this one carefully! "This white paper describes a variety of scenarios that integrate Windows 2000 Server certification authorities with Exchange Server 5.5 advanced security." http://whitepapers.zdnet.co.uk/0,39025945,60013472p-39000550q,00.htm
Here's whitepaper that may help as well, read this one carefully! "This white paper describes a variety of scenarios that integrate Windows 2000 Server certification authorities with Exchange Server 5.5 advanced security." http://whitepapers.zdnet.co.uk/0,39025945,60013472p-39000550q,00.htm
ASKER
Thanks for your persistence. I know its not your fault, but the link you sent simply leads back to Microsoft that no longer maintains this white paper. I finally found a copy using a Google search (abgain, I can't understand why Microsoft's search engine could not come up with this) that lead me back to Microsoft but only had the paper in HTML format. I did obtain that and am reviewing it. The only white paper they have on the subject is with W2K3 and Exchange 2K.
You know, I am just a technical professional with 12 years experience in the industry working on my MCSE, raising a family etc. (Seems no one cares about the experience anymore, just what letters follow your name). I am doing the best I can with the budget I have, and yes, I now the technology I am working with is somewhat outdated. You have to start somewhere. I appreciate the time you have taken to attempt to shed some light on the subject.
I will let you know what I find out just as soon as I can.
You know, I am just a technical professional with 12 years experience in the industry working on my MCSE, raising a family etc. (Seems no one cares about the experience anymore, just what letters follow your name). I am doing the best I can with the budget I have, and yes, I now the technology I am working with is somewhat outdated. You have to start somewhere. I appreciate the time you have taken to attempt to shed some light on the subject.
I will let you know what I find out just as soon as I can.
Do let me know what happens!
ASKER
Finally success.
First, I added a new site to my Exchange Organization, configured X.400 connector,and tested. (Not really necessary but it was good practice). I now have 2 differenct sites on 2 different subnets connected by X.400 over a router.
After perfoming the registration of expolicy.dll, (I never found any information on expolw2k.dll and I still do not know what it is for) I found some addtional steps in the white paper, HTML version I found on MS using the Google search. These steps apparently weren't in the whitel paper, "Deploying a Public Key Infrastructure for MS Exchange 5.5" found at MS. They are as follows:
The Expolicy.dll File
You must register the Exchange Server policy module (the Expolicy.dll file) with the Certificate Server to configure Exchange Server advanced security to use a Certificate Server.
Important: After you register this policy module and restart the Certificate Services, that Certificate Server will only be able to issue and verify certificates for Exchange Server. If you need a Certificate Server that can issue and verify certificates other than Exchange Server certificates, you need to install another Certificate Server to perform that function.
Note: You will not need the legacy policy module for Exchange 2000 Server KM server, because Exchange 2000 Server KM server will enable a single Certificate Server to serve multiple PKI services.
21.The Expolicy.dll file is located on the Exchange Server 5.5 Service Pack 3 installation disk in the following folder: Server\Support\Kms\Expolic
regsvr32 expolicy.dll
Note: Use only the Expolicy.dll file that is located on the Exchange Server 5.5 Service Pack 3 installation disk. The Expolicy.dll file that is located on the Exchange Server 5.5 Service Pack 1 installation disk is not the most recent version.
22.Select the legacy policy module on the Windows 2000 Server CA. On the Windows 2000 Server CA, in Control Panel, double-click Administrative Tools, and then start the Certification Authority snap-in. Right-click the server to open its properties, and then click the Policy Module tab. When the following page is displayed, click Select.
23. When the Set Active Policy Module dialog box is displayed, click Legacy Policy Module, and then click OK.
24. Click either OK or Apply. The Certificate Services automatically restart and begin to use the legacy policy module.
My only question know is, how many KM's should there be. This process only allows users with mailboxes on the KM server to use Advanced Security. It doesn't propogate to the other servers. I haven't found any way to replicate it to the other servers and seem to doubt that is available. The only option seems to be to install additional KM's on the other servers or move users Mailboxes to the KM server, which doesn't seem practical.
Any thoughts?
First, I added a new site to my Exchange Organization, configured X.400 connector,and tested. (Not really necessary but it was good practice). I now have 2 differenct sites on 2 different subnets connected by X.400 over a router.
After perfoming the registration of expolicy.dll, (I never found any information on expolw2k.dll and I still do not know what it is for) I found some addtional steps in the white paper, HTML version I found on MS using the Google search. These steps apparently weren't in the whitel paper, "Deploying a Public Key Infrastructure for MS Exchange 5.5" found at MS. They are as follows:
The Expolicy.dll File
You must register the Exchange Server policy module (the Expolicy.dll file) with the Certificate Server to configure Exchange Server advanced security to use a Certificate Server.
Important: After you register this policy module and restart the Certificate Services, that Certificate Server will only be able to issue and verify certificates for Exchange Server. If you need a Certificate Server that can issue and verify certificates other than Exchange Server certificates, you need to install another Certificate Server to perform that function.
Note: You will not need the legacy policy module for Exchange 2000 Server KM server, because Exchange 2000 Server KM server will enable a single Certificate Server to serve multiple PKI services.
21.The Expolicy.dll file is located on the Exchange Server 5.5 Service Pack 3 installation disk in the following folder: Server\Support\Kms\Expolic
regsvr32 expolicy.dll
Note: Use only the Expolicy.dll file that is located on the Exchange Server 5.5 Service Pack 3 installation disk. The Expolicy.dll file that is located on the Exchange Server 5.5 Service Pack 1 installation disk is not the most recent version.
22.Select the legacy policy module on the Windows 2000 Server CA. On the Windows 2000 Server CA, in Control Panel, double-click Administrative Tools, and then start the Certification Authority snap-in. Right-click the server to open its properties, and then click the Policy Module tab. When the following page is displayed, click Select.
23. When the Set Active Policy Module dialog box is displayed, click Legacy Policy Module, and then click OK.
24. Click either OK or Apply. The Certificate Services automatically restart and begin to use the legacy policy module.
My only question know is, how many KM's should there be. This process only allows users with mailboxes on the KM server to use Advanced Security. It doesn't propogate to the other servers. I haven't found any way to replicate it to the other servers and seem to doubt that is available. The only option seems to be to install additional KM's on the other servers or move users Mailboxes to the KM server, which doesn't seem practical.
Any thoughts?
ASKER
Performed the same process on an Exchange Server in the other site and with my mailbox. Without any precedent to work off of, I modified the CA properties in the second Exchnage Server to point to the CA that I had the earlier Exchange Server in the other site employ. Worked out fine. Tested by sending encrypted, digitally signed e-mail across the sites without incident. I guess I can say "case closed". Hope this thread helps someone with a similar concern.
ASKER
By the way, my apologies for the typos and misspelled words during this engagement.
Sorry I wasn't around on 05/01 to provide feedback. Glad its working :)
You will want to be sure to close this question so it becomes a permanent solution that others can use!
You will want to be sure to close this question so it becomes a permanent solution that others can use!
ASKER
How do you close the thread?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OL2000: (CW) Error Message Occurs When You Send an Encrypted Message to a Recipient on the Global Address List
http://support.microsoft.com/default.aspx?scid=kb;en-us;282959&Product=out