Outlook 2000/2003 cannot open signed messages
-
Tuesday, September 09, 2008 4:23 PMI've received a signed message from somebody. Outlook 2000 and 2003 won't let me open the message, I just get an error "Can't open this item. Your Digital ID name can not be found by the underlying security system.". The message is not encrypted and can be read by Outlook 2007. Other mails received in the past open fine and when I open the problem mails in Outlook 2007, the signature is verified (as I installed the certificate from the older mails - ie. it's the same signature). I don't understand why I need a Digital ID to read a mail that is signed by somebody else, and I should be able to see it (with a warning) without the certificate at all.
Does anybody know how to work around this issue? Googling didn't come up with anything, most people's problems in this area seem to be related to encryption. The sender is using Notes according to the headers. Any ideas?
All Replies
-
Thursday, September 11, 2008 2:59 AMModerator
Hi,
When you open a digital signed email, it still need to be decrypted.
For the error message “Can’t open this item. Your Digital ID name cannot be found by the underlying security system”, it means that recipient’s Outlook client cannot find the proper key to decrypt this digital signed message. In order to generate a digital signed mail, the sender mail client need to get the sender’s private key first, and then use this private key to encrypt the sender information in the mail. When the recipient gets the message, the recipient’s mail client will try to retrieve the sender’s public key, and then use the public key to decrypt the encrypted information in this mail. When the recipients failed to get the sender’s public key, the above error message will be reported.
As you can open the mail in Outlook 2007, all you need to do is copy the corresponding certificate in that computer and install it in your Outlook 2000 and 2003 computer.
More information for your reference:
http://www.windowsecurity.com/articles/Digital_Signatures.html
Hope this helps. Thanks,
Elvis
-
Thursday, September 11, 2008 9:51 AMUnfortunately that doesn't really explain the problem I've got. The Outlook 2007 machine can read the mail without any key being installed, it just puts a warning at the top saying it's unverified. The other clients can see other messages from the same sender (along with the warning message). Installing the senders key gets rid of the warning message on the mails I could already read but still doesn't let me view the problem emails. In addition, why would I need my own key to read a mail sent to me, that doesn't make sense. If I wanted to reply and sign the message then sure, but to just read incoming mail I shouldn't need anything. I should only need the senders public key, and then only to verify the signature, not to read the mail (as evidenced by being able to read it on Outlook 2007 with no keys).
It seems very much like a bug in Outlook to me, maybe something in the message headers is confusing it. -
Friday, September 12, 2008 7:01 AMModerator
Hi,
This issue typically be caused by the following factors:
1. The digital ID is damaged or corrupted.
2. The sender of an encrypted message uses a public key for the recipient (the person who opens the item) that is not installed on the recipient’s computer.
Please use the steps in the following KB article to test the issue again.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;258527
A great webcast for these issues:
TechNet Support WebCast: Secure messaging in Microsoft Outlook
http://support.microsoft.com/kb/891329
Hope this helps.
Thanks,
Elvis
-
Monday, September 15, 2008 10:29 AMMy problem is not one of the typical issues you listed:
- I don't have any Digital ID installed on the problem client. And I know the signature is fine as Outlook 2007 reads the mail with no problems (as does Outlook Web Access).
- As I have stated twice now, the message is not encrypted.
-
Wednesday, September 17, 2008 3:41 AMModerator
Hi,
Given the current situation, I suggest you contact our CSS to submit a professional case.
For more information on available CSS services, please click here:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Thanks,
Elvis
-
Thursday, October 16, 2008 9:00 AM
I am also experiencing the same problem using Outlook 2003. I am sending a digitally signed email message and I am not able to open it for reading in Outlook. Has there been any update on this problem? Was Microsoft support helpful?
Thanks.
-
Thursday, October 16, 2008 9:33 AM
I'm not sure if this fits your situation or not, but I solved the issue I was having. I was creating the signed message using the JavaMail API and IAIK SignedContent. When I created the SignedContent explicitly (with value false) the Mime Message created had content type multipart/signed. Outlook 2003 could not read or verify the message. I switch to implicit SignedContent (with value true) which created a Mime Message with content type application/pkcs7-mime. Outlook was then able to read the message and verify the message signature.
Hope this helps.
-
Friday, October 31, 2008 2:37 PM> When you open a digital signed email, it still need to be decrypted.
Actually, this is not quite true. A digitally signed email only needs to be decrypted if it was signed AND encrypted i the first place. An email that was signed only does not need to be decrypted, because the message content appears unencrypted in the MIME tree or inside the CMS/PKCS #7 SignedData structure. For such e-mail, only signature validation is performed.
Lukas Pokorny
Rebex.NET -
Friday, October 31, 2008 2:54 PMI am also able to reproduce the problem you and other users reported here. For me, it happens when I receive a signed email message that has a content-type "multipart/signed", this contains the following two parts: "multipart/alternative", "application/pkcs7-signature" and this first sub-part contains a "text/html" part only. If it contains "text/plain" in addition to this as well, or it the "text/html" is there instead of "multipart/alternative" inside the "multipart/signed" entity, everything works correctly. This looks too complicated, so consider this instead:
A signed e-mail with the following structure works fine in both Outlook 2003 and Outlook 2007:
multipart/signed
- multipart/alternative
-- text/html
-- text/plain
- application/pkcs7-signature
A signed e-mail with the following structure also works fine in both Outlook 2003 and Outlook 2007:
multipart/signed
- text/html
- application/pkcs7-signature
However, an e-mail with the following structure does not work in Outlook 2003 (it works in Outlook 2007 though):
multipart/signed
- multipart/alternative
-- text/html
- application/pkcs7-signature
You can download two sample messages from http://www.rebex.net/temp/Outlook-SMIME.zip - Sample-B.eml contains a message that triggers the error described above (the misleading "Can't open this item. Your Digital ID name can not be found by the underlying security system." error dialog). It is true that the structure of this message is a bit non-standard - but nothing extraordinary - and apparently, a message with the same inner structure that is not signed works in Outlook 2003 as well.
I am not sure whether the error reported in this thread were caused by this as well, but it might be something similar - changing the message structure a bit might be all that is needed to work around the problem.
Hope this helps!
Lukas Pokorny
Rebex.NET -
Monday, November 17, 2008 7:40 PMI have had this same problem, same error message. I am working with XP, Outlook 2003. I found that it is not enough to have the digital certificates in your Outlook cards for people you send signed and encrypted messages to. You must also import YOUR digital certificate into YOUR Outlook card. You probably have never created a card for yourself in Outlook. I certainly did not have one. Create you card, go to the certificates tab, click on Import, and import your digital certificate from wherever it resides on your computer. (NOTE: If you do a search for it, search for .pfx, .cer , and .p7x files.) I was able to open signed messages before, now I can open messages that are encrypted as well. I hope this helps you.
.png){kind=spacer}
