Underlying digital id not found for one user email encryption outlook 2003

Posted on 2008-11-12
Last Modified: 2012-05-05
Hey so Im trying to setup an email encryption certificate for one employee.  He previously had one that expired a few months back.  We have our own internal CA (Server 2003R2, Exchange 2003 SP2) and it works fine for 30 other people that use email encryption (just tested another user which works fine).  Gone through the normal process and it installs the certificate with no problems.  After publishing to GAL I can send from his Outlook to me and the encryption works fine.  On my laptop office 2007 cachedmode, I download address books,  try to send him an email encrypted and it says theres no valid certificate for him.
So I thought well maybe its an Outlook 2007 thing.  Tried from other users that are on Outlook 2003 online or cached mode and they get the same thing.  Now if I go on the Termservers and send encrypted to him I dont get the warning and the email sends.  However, he then gets the message saying digital id not found when trying to open the message.

I've created 3 new certificates for this user with no luck.   I've gone into his user account in AD and removed the failed certificates and created a new one-no luck.  
Question by:ryanmgreen
    LVL 31

    Expert Comment

    Does the cert show up OK in AD?  Open up AD users&computers and View - Advanced Features, then search for the user and open the properties, check the Published Certificates tab.  If not there, you can export from the client machine from Certificates MMC (do not include private key), and then use the Add option in ADUC to put the cert in manually.

    Another area to check is to put their name in the address bar, right click and Look up Outlook Contact, then check the Certificates tab there.  On the laptop, etc., that wasn't finding it you can locate the cert here and export it, then import it to your box.  Alternatively, you can have them send a signed email if the same cert is being used for signing and encrypting.

    You can also try from the client:
    certutil -pulse
    gpupdate /force

    Author Comment

    It does show up ok in AD.  SHows no issues when looking at it through mmc.

    The cert is just for email encryption internally in our domain.  II did the lookup contact you mentioned and he was not in my contacts(because I work with him).  So I added him as a contact and the certificate does show up.  Now it allows me to send out an encrypted email to him but he still gets the digital id not found.  

    He can send encrypted to me or anyone else with no problem.  So bottom line is he can't open encrypted emails from me or others. And we can't send to him unless we add to Outlook contacts.  PRetty bizarre
    LVL 31

    Expert Comment

    Do the rest of you have email signing certs?
    Now that we're past the worst part, check his outlook settings to make sure he has the correct cert listed there to use for encryption.  In outlook 2003: Tools - Options - Security - Settings.

    Make sure encryption cert is listed and is the correct one.
    Checkmark 'Send these certificates with signed messages'

    If you have Word do your email, you might check it in there as well.  When in email mode (send to recipient) - use the "Options" on the toolbar (not tools-options) - security settings - change settings - same as above...

    Author Comment

    We have about 20 people that use them.  Everything looks good on the Outlook side for the security settings.  checkmark is set for send these certificates with signed messages.  That's what I don't get.  He can send encrypted to me and it works fine.  Sending to him doesn't work for me or other accounts with encryption.

    We don't use Word for email.

    Anything else to check?  He is on a Term server 2003, but I've tried it with a test user and it works fine.  Seems to be something specific to his account.

    Accepted Solution

    Ended up working yesterday.  Not sure if the cert needed overnight to validate or what, but we tested it yesterday morning and it worked in all facets.  please close question

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    If you have never had your Outlook crash or suddenly lose messages, appointments, etc. you are fortunate. No matter how carefully you monitor your system, those things WILL happen, and recovering your data from a backup is not always possible, wh…
    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now