none
Outlook Slow to open digitally signed or encrypted mail

    Question

  • All,

      I started with some issues which I posted about on the Office forum but found a fix for the middleware which fixed the issue.  Now I'm having another issue with what seems like the digital subsystem (CSP?, Cert Store or AD).  So I hope this forum might be able to help since it's security related with the digital signature and encryption.  The other issue is at this post: http://social.technet.microsoft.com/Forums/en-US/outlook/thread/d56595b9-d1e7-4bd4-8b66-52174d7e031e

    I posted this on the Window 7 Security forum and they recommended that I post it here under the Exchange forum.  http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/1c949513-8a4a-4864-8134-b2bdfc5c3f9a/#1c949513-8a4a-4864-8134-b2bdfc5c3f9a

    Environment: Windows 7 Pro, Office 2007 (Outlook), and on a mix mode domain.  Main domain controller is 2003 and unable to log on with CAC without middleware, ActivClient 6.2

      My current issue when a user receives a signed or encrypted message it can take between 30 seconds to one minute for the message to open in the preview pane or even if you double click it to open it up.  I can delete the local profile on some users and the issue goes away, other users I've had to delete the local and the folder redirect (AppData. My Documents, and Desktop). Now today after about a week one user is seeing it again which isn't good. What could be causing the delay in the digital path?  I think it has to do with either ActivClient and Windows 7 deciding on who is in control or our Domain Controllers?  What else can I look at? 

    Here's an error I see:

    Aug 01 10:04:41:559|ACEXCHEX|PID=3264|TID=2760|USR=usernamewashere|

    ERR|CACExchExtMessageEvents::CheckAndAddCertificateInStore:

    CertAddEncodedCertificateToStore failed with error code 4c7


    Dennis C. Varen Technologies
    Tuesday, August 02, 2011 6:10 PM

Answers

  • The issue turns out to be a bad digtial path.  We contacted our certificate authority and they had a tool (script) to remove and block the "Common Policy" cert and couple of others that were being downloaded.  I'll edit this with a list of the bad certs but I'm not in the office today.
    Dennis C. Varen Technologies
    • Marked as answer by Dennis Cout Friday, August 05, 2011 1:09 AM
    Thursday, August 04, 2011 12:13 PM

All replies

  • Hi Dennis,

     

    Based on my research, the delay is likely caused by Active Identity. And I’d suggest you re-install the ActiveClient and try again.

     

    If the issue continues, please feel free to submit a new thread on Outlook IT Pro forums since this is an Exchange forums and the issue you are encountering is a pure client side issue. Your understanding would be appreciated.


    Fiona
    Wednesday, August 03, 2011 4:28 AM
    Moderator
  • Thank you for your response but I have tried reinstalling ActivClient and last night I un-installed it and logged in with a Username and password and still have the delay in the opening of signed/encrypted mail.  If you look at my first link I already posted in the Outlook forum and the Windows 7 Security forum.  This is only happening with some users not all so if this was a client issue it would happen with everyone that used that one system but this follows users to other systems.  I need someone who can look at or tell me more about the subsystem of how Windows/Outlook/ActivClient/Exchange/Active Directory all tie into each other which would be the best forum to post under? 

    Is there anything that can control the CRL listing/retrieval, OSP?  How can I troubleshoot it?  What logs can I turn on besides the ones that I already have; Outlook, ActivClient?  I think it's an account issue in Active Directory related to Exchange 2007 but need to be able to rule that out.  Is there anything on the Exchange side that I can turn on to monitor as the Outlook client retrieves a message, how can I measure the time from Exchange?

    Thank you for your help and suggestions,

    Dennis


    Dennis C. Varen Technologies
    Wednesday, August 03, 2011 11:00 AM
  • The issue turns out to be a bad digtial path.  We contacted our certificate authority and they had a tool (script) to remove and block the "Common Policy" cert and couple of others that were being downloaded.  I'll edit this with a list of the bad certs but I'm not in the office today.
    Dennis C. Varen Technologies
    • Marked as answer by Dennis Cout Friday, August 05, 2011 1:09 AM
    Thursday, August 04, 2011 12:13 PM
  • This is getting to be a big pain.  Would please send us more info on the tool and script?  Thanks. 
    Monday, August 15, 2011 4:01 PM
  • Jeff,

      Sorry I haven't posted more details.  You'll have to get the script from DISA by opening a ticket, okcservicedesk@csd.disa.mil you can reference our Ticket #CSD-AR002898474. 

     

    1. Insure you have the latest DoD Root Certs installed.

    2. Run the FBCA tool which moves two Common Policy certs issued by Common Policy 2027 and 2010 and DoD Root CA 2 issued by DoD Interoperability Root CA 1 2013 to the untrusted we then exported them and added them to GPO.

    3. GPUPDATE /FORCE and Reboot system.

    

    There's also some other steps they may give you but this is all we have applied and it seems to be working.


    Dennis C. Varen Technologies
    Monday, August 15, 2011 6:27 PM
  • We have a similar issue but it is only happening to 4 machines out of a 1000 and it seems to be tied to certain IP's. If we force another machine to pull that IP the slow validation follows to the new machine. It goes away when I revert back. Only thing is these four machine get a new IP and a few hours to days later the issue is back. We have installed the latest Root Certs as well as ran the FBCA tool. We didn't put in a ticket or run anything else yet. The strange part it is only 4 machines and all of our machines are on the same baseline.
    Tuesday, August 30, 2011 10:22 PM