Underlying digital id not found for one user email encryption outlook 2003

Hey so Im trying to setup an email encryption certificate for one employee.  He previously had one that expired a few months back.  We have our own internal CA (Server 2003R2, Exchange 2003 SP2) and it works fine for 30 other people that use email encryption (just tested another user which works fine).  Gone through the normal process and it installs the certificate with no problems.  After publishing to GAL I can send from his Outlook to me and the encryption works fine.  On my laptop office 2007 cachedmode, I download address books,  try to send him an email encrypted and it says theres no valid certificate for him.
So I thought well maybe its an Outlook 2007 thing.  Tried from other users that are on Outlook 2003 online or cached mode and they get the same thing.  Now if I go on the Termservers and send encrypted to him I dont get the warning and the email sends.  However, he then gets the message saying digital id not found when trying to open the message.

I've created 3 new certificates for this user with no luck.   I've gone into his user account in AD and removed the failed certificates and created a new one-no luck.  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Does the cert show up OK in AD?  Open up AD users&computers and View - Advanced Features, then search for the user and open the properties, check the Published Certificates tab.  If not there, you can export from the client machine from Certificates MMC (do not include private key), and then use the Add option in ADUC to put the cert in manually.

Another area to check is to put their name in the address bar, right click and Look up Outlook Contact, then check the Certificates tab there.  On the laptop, etc., that wasn't finding it you can locate the cert here and export it, then import it to your box.  Alternatively, you can have them send a signed email if the same cert is being used for signing and encrypting.

You can also try from the client:
certutil -pulse
gpupdate /force
ryanmgreenAuthor Commented:
It does show up ok in AD.  SHows no issues when looking at it through mmc.

The cert is just for email encryption internally in our domain.  II did the lookup contact you mentioned and he was not in my contacts(because I work with him).  So I added him as a contact and the certificate does show up.  Now it allows me to send out an encrypted email to him but he still gets the digital id not found.  

He can send encrypted to me or anyone else with no problem.  So bottom line is he can't open encrypted emails from me or others. And we can't send to him unless we add to Outlook contacts.  PRetty bizarre
ParanormasticCryptographic EngineerCommented:
Do the rest of you have email signing certs?
Now that we're past the worst part, check his outlook settings to make sure he has the correct cert listed there to use for encryption.  In outlook 2003: Tools - Options - Security - Settings.

Make sure encryption cert is listed and is the correct one.
Checkmark 'Send these certificates with signed messages'

If you have Word do your email, you might check it in there as well.  When in email mode (send to recipient) - use the "Options" on the toolbar (not tools-options) - security settings - change settings - same as above...
ryanmgreenAuthor Commented:
We have about 20 people that use them.  Everything looks good on the Outlook side for the security settings.  checkmark is set for send these certificates with signed messages.  That's what I don't get.  He can send encrypted to me and it works fine.  Sending to him doesn't work for me or other accounts with encryption.

We don't use Word for email.

Anything else to check?  He is on a Term server 2003, but I've tried it with a test user and it works fine.  Seems to be something specific to his account.
ryanmgreenAuthor Commented:
Ended up working yesterday.  Not sure if the cert needed overnight to validate or what, but we tested it yesterday morning and it worked in all facets.  please close question

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.