locked
Cannot encrypt new messages but cat answer to already encrypted one RRS feed

  • Question

  • Hi to all!

    I have a problem with encrypting messages in Outlook, sended to other recipient within the same Exchange organization. 

    If user A send a new, encrypted message to user B (all within the same Active Directory domain) then all is OK. User B receive message, and can replay with encryption turned on. 

    But if user B want to send new encrypted message to user A, then he receives error "Microsoft Outlook had problems encrypting this message because the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities". 

    I have searched many internet resources but find no clues applicable to my situation. Both users have appropriate certificates published in GAL in AD. Furthermore, if user B replay to encrypted message send by user A, then his replay is encrypted and signed with exactly the same certificate, which is published in GAL! 

    This problem exist only for some pair of users. Say there is user C, for which encrypting messages between C and B always works well, but not between C and A. So there is apparently problem with finding or selecting correct certificate for user A (but he has published one one certificate - the correct one!)

    It seem that version of Outlook doesn't matter, as we use versions 2007,2010,2013,2016 but I haven't found any pattern here.

    Can anyone help me finding solution?

    Krzysztof.


    elk84

    • Moved by Niko.Cheng Wednesday, March 21, 2018 8:47 AM because it is
    Tuesday, March 20, 2018 4:51 PM

All replies

  • I recommend that you post this in the Outlook Forum:  http://social.technet.microsoft.com/Forums/en-US/outlook/threads


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, March 21, 2018 3:32 AM
  • Ed Crowley@Thank you for moving my post to more appropriate group.

    In the meantime I have found this post: Encryption fails on New E-mail, works on Reply. I have turned off cached mode and ... voila, it works! Switched back to cached mode, and again it doesn't work. So I have left it in a cached mode, but I consider this rather as an workaround, not real solution.

    Can someone explain me:

    1. Why this problem occur in cached mode, but not in online mode?

    2. What to do, to solve this problem regardless of used outlook mode?

    Thank you in advance for any clues.

    Krzysztof.




    elk84


    • Edited by elk-84 Wednesday, March 21, 2018 11:14 AM
    Wednesday, March 21, 2018 11:14 AM
  • Hi Krzysztof,

    Since the certificate was published to GAL and then cached to OAB, and this issue doesn't happen when turning off cached Exchange mode (OAB is not used in this case), is it possible that User A's OAB file is corrupted or not updated?

    I'd recommend you first try to create a new OAB file for the affected users and then see whether this issue continues. To do this, exit Outlook and navigate to the following path:

    drive:\Users\%username%\AppData\Local\Microsoft\Outlook

    Find the Offline Address Books folder and rename it by appending .old behind it.

    Start Outlook, wait for several minutes and try to send an encrypted message to see the result.

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, March 22, 2018 7:29 AM
  • Hi!

    Thank you for your comments, but I have already tried to remove OAB (before finding solution with switching to online mode) - it' doesn't help. After restarting Outlook new address book was created, but problem remains ...

    Krzysztof 


    elk84

    Thursday, March 22, 2018 2:09 PM
  • We started to use S/MIME just a week ago and are experience the exact same problem. This happens with Outlook 2013/2016 and Exchange 2013. And I know for sure that the users certificates are stored correctly in AD:

    [PS] C:\> Get-Mailbox | select name, UserCertificate, UserSMimeCertificate




    Thursday, March 22, 2018 7:35 PM
  • Thank you Lars for the feedback.

    @Krzysztof, may I know whether you also use Exchange 2013 version? 

    May you guys provide the specific build number of Exchange you are using?

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 23, 2018 8:47 AM
  • Hi!

    I'm using Exchange 2013 (15.0 build 1076.9)


    elk84

    Friday, March 23, 2018 11:37 AM
  • Look in Programs and Features, View Installed Updates, and tell us which Cumulative Update you're running (the latest).

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, March 23, 2018 3:44 PM
  • My server is CU8 (I know it is not the latest one, but currently I cannot update it to latest ver)

    elk84


    • Edited by elk-84 Monday, March 26, 2018 4:22 PM
    Monday, March 26, 2018 4:22 PM
  • @Steve/Ed,

    is there a way you can to enable some kind of tracing in Outlook for all S/MIME operations like for example to look up the recipient's certificate and so forth? 

    Btw, when you receive an email that is signed with S/MIME, where and how does Outlook extract and store the sender's certificate? Is it hidden in a cached but hidden client address book (or something similar) or  does Outlook store it somewhere in Exchange Server? I've looked everywhere but couldn't find anything that describes the technical implementation of S/MIME regarding how Outlook processes the certificates...

    Thanks in advance!

    EDIT: (April 4th)

    A temporary workaround that seem to work is to to create a shared contact list e.g. "Digital Signed Contacts" in a public folder where you save your colleagues digital signed if you can't get it to work with GAL.

    Monday, March 26, 2018 6:47 PM
  • Any progress in the matter yet?
    Wednesday, April 4, 2018 10:05 AM