asked on

Underlying digital id not found for one user email encryption outlook 2003

Hey so Im trying to setup an email encryption certificate for one employee. He previously had one that expired a few months back. We have our own internal CA (Server 2003R2, Exchange 2003 SP2) and it works fine for 30 other people that use email encryption (just tested another user which works fine). Gone through the normal process and it installs the certificate with no problems. After publishing to GAL I can send from his Outlook to me and the encryption works fine. On my laptop office 2007 cachedmode, I download address books, try to send him an email encrypted and it says theres no valid certificate for him.

So I thought well maybe its an Outlook 2007 thing. Tried from other users that are on Outlook 2003 online or cached mode and they get the same thing. Now if I go on the Termservers and send encrypted to him I dont get the warning and the email sends. However, he then gets the message saying digital id not found when trying to open the message.

I've created 3 new certificates for this user with no luck. I've gone into his user account in AD and removed the failed certificates and created a new one-no luck.

Paranormastic

Does the cert show up OK in AD? Open up AD users&computers and View - Advanced Features, then search for the user and open the properties, check the Published Certificates tab. If not there, you can export from the client machine from Certificates MMC (do not include private key), and then use the Add option in ADUC to put the cert in manually.

Another area to check is to put their name in the address bar, right click and Look up Outlook Contact, then check the Certificates tab there. On the laptop, etc., that wasn't finding it you can locate the cert here and export it, then import it to your box. Alternatively, you can have them send a signed email if the same cert is being used for signing and encrypting.

You can also try from the client:
certutil -pulse
gpupdate /force

ryanmgreen

ASKER

It does show up ok in AD. SHows no issues when looking at it through mmc.

The cert is just for email encryption internally in our domain. II did the lookup contact you mentioned and he was not in my contacts(because I work with him). So I added him as a contact and the certificate does show up. Now it allows me to send out an encrypted email to him but he still gets the digital id not found.

He can send encrypted to me or anyone else with no problem. So bottom line is he can't open encrypted emails from me or others. And we can't send to him unless we add to Outlook contacts. PRetty bizarre

Paranormastic

Do the rest of you have email signing certs?
Now that we're past the worst part, check his outlook settings to make sure he has the correct cert listed there to use for encryption. In outlook 2003: Tools - Options - Security - Settings.

Make sure encryption cert is listed and is the correct one.
Checkmark 'Send these certificates with signed messages'

If you have Word do your email, you might check it in there as well. When in email mode (send to recipient) - use the "Options" on the toolbar (not tools-options) - security settings - change settings - same as above...

ryanmgreen

ASKER

We have about 20 people that use them. Everything looks good on the Outlook side for the security settings. checkmark is set for send these certificates with signed messages. That's what I don't get. He can send encrypted to me and it works fine. Sending to him doesn't work for me or other accounts with encryption.

We don't use Word for email.

Anything else to check? He is on a Term server 2003, but I've tried it with a test user and it works fine. Seems to be something specific to his account.

ASKER CERTIFIED SOLUTION

ryanmgreen

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial