• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 534
  • Last Modified:

Underlying digital id not found for one user email encryption outlook 2003

Hey so Im trying to setup an email encryption certificate for one employee.  He previously had one that expired a few months back.  We have our own internal CA (Server 2003R2, Exchange 2003 SP2) and it works fine for 30 other people that use email encryption (just tested another user which works fine).  Gone through the normal process and it installs the certificate with no problems.  After publishing to GAL I can send from his Outlook to me and the encryption works fine.  On my laptop office 2007 cachedmode, I download address books,  try to send him an email encrypted and it says theres no valid certificate for him.
 
So I thought well maybe its an Outlook 2007 thing.  Tried from other users that are on Outlook 2003 online or cached mode and they get the same thing.  Now if I go on the Termservers and send encrypted to him I dont get the warning and the email sends.  However, he then gets the message saying digital id not found when trying to open the message.

I've created 3 new certificates for this user with no luck.   I've gone into his user account in AD and removed the failed certificates and created a new one-no luck.  
0
ryanmgreen
Asked:
ryanmgreen
  • 3
  • 2
1 Solution
 
ParanormasticCryptographic EngineerCommented:
Does the cert show up OK in AD?  Open up AD users&computers and View - Advanced Features, then search for the user and open the properties, check the Published Certificates tab.  If not there, you can export from the client machine from Certificates MMC (do not include private key), and then use the Add option in ADUC to put the cert in manually.

Another area to check is to put their name in the address bar, right click and Look up Outlook Contact, then check the Certificates tab there.  On the laptop, etc., that wasn't finding it you can locate the cert here and export it, then import it to your box.  Alternatively, you can have them send a signed email if the same cert is being used for signing and encrypting.

You can also try from the client:
certutil -pulse
gpupdate /force
0
 
ryanmgreenAuthor Commented:
It does show up ok in AD.  SHows no issues when looking at it through mmc.

The cert is just for email encryption internally in our domain.  II did the lookup contact you mentioned and he was not in my contacts(because I work with him).  So I added him as a contact and the certificate does show up.  Now it allows me to send out an encrypted email to him but he still gets the digital id not found.  

He can send encrypted to me or anyone else with no problem.  So bottom line is he can't open encrypted emails from me or others. And we can't send to him unless we add to Outlook contacts.  PRetty bizarre
0
 
ParanormasticCryptographic EngineerCommented:
Do the rest of you have email signing certs?
Now that we're past the worst part, check his outlook settings to make sure he has the correct cert listed there to use for encryption.  In outlook 2003: Tools - Options - Security - Settings.

Make sure encryption cert is listed and is the correct one.
Checkmark 'Send these certificates with signed messages'

If you have Word do your email, you might check it in there as well.  When in email mode (send to recipient) - use the "Options" on the toolbar (not tools-options) - security settings - change settings - same as above...
0
 
ryanmgreenAuthor Commented:
We have about 20 people that use them.  Everything looks good on the Outlook side for the security settings.  checkmark is set for send these certificates with signed messages.  That's what I don't get.  He can send encrypted to me and it works fine.  Sending to him doesn't work for me or other accounts with encryption.

We don't use Word for email.

Anything else to check?  He is on a Term server 2003, but I've tried it with a test user and it works fine.  Seems to be something specific to his account.
0
 
ryanmgreenAuthor Commented:
Ended up working yesterday.  Not sure if the cert needed overnight to validate or what, but we tested it yesterday morning and it worked in all facets.  please close question
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now