Outlook 2003 continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure (822504)


The information in this article applies to:

  • Microsoft Office Outlook 2003

SYMPTOMS

After you migrate from Key Management Server (KMS) to Public Key Infrastructure (PKI), you cannot read e-mail messages that are sent by Microsoft Office Outlook 2003 users, but you can read e-mail messages that are sent by Outlook Web Access users (OWA).

Note This problem occurs if you remove your old KMS keys during the migration.

CAUSE

This problem occurs when you migrate from KMS to PKI. The PKI Windows Certification Authority publishes new certificates to the userCertificate attribute in Active Directory. However, the old certificates that were issued by KMS are still contained in the userSMIMECertificate attribute in Active Directory.

By default, Outlook 2003 searches for a certificate in the userSMIMECertificate attribute in Active Directory first and then searches in the userCertificate attribute in Active Directory second if a certificate is not found. In this situation, the Microsoft Outlook client will pick up the certificate that is found in the userSMIMECertificate attribute in Active Directory.

By default, Outlook Web Access (OWA) looks searches for a certificate in the userCertificate attribute in Active Directory first and then searches in the userSMIMECertificate attribute in Active Directory second if a certificate is not found.

RESOLUTION

Use one of the following methods to resolve this problem:
  • Verify that the client that is reading the e-mail message has the keys from both the userSMIMECertificate and the userCertificate attributes in Active Directory in the local certificate store.
  • Clean up the userSMIMECertificate attribute so that it contains the latest key (the key that is published to the userCertificate attribute).

    Users can use the Publish to GAL option to make sure that their new certificates are published in the directory. To do this, follow these steps:
    1. In Outlook, click Tools, click Options, and then click Security.
    2. Click Security Settings, and then verify that the digital ID that is required for publishing is configured. Click Choose to select the digital ID that is required for digital signature and encryption, and then click OK.
    3. Click Publish To GAL.
    Note Administrators can use the information that is in the "Appendix C: Digital Certificates Cleanup Script" chapter of the Exchange Server 2003 Message Security Guide to clean up the certificate entries in the directory. To obtain the "Appendix C: Digital Certificates Cleanup Script" chapter of the Exchange Server 2003 Message Security Guide, visit the following Microsoft Web site:

    http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx

Modification Type:MinorLast Reviewed:2/23/2006
Keywords:kbprb kbpending KB822504 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.