locked
Publishing a Certificate to the GAL Issue. RRS feed

  • Question

  • Hello, I am having trouble with Domain users trying to publish their certs to the GAL.  They get the error: "Microsoft Office Outlook cannot publish your certificates.  The server may be offline or your certificates may be invalid.  Contact your administrator if the problem persists"

    The security on the cert is set up this way:

    SELF has READ WRITE and Enroll  ( I am assuming that this is what should work for the user(s) )

    Authenicated users have READ and ENROLL

    Domain admins have  READ WRITE and ENROLL

    Enterprise Admins have READ WRITE AND ENROLL

    If I add the user as a Domain Admin they can log off and back on then get into Outlok and they can publish fine.  This doesnt seem to be a cert issue but maybe a Exchange 2007 permissions issue but I dont know where to look.  Can someone steer me in the correct direction?


    Thanks

     

    Monday, June 14, 2010 6:26 PM

Answers

  • Please describe the AD topology, how many GC exist in the environment? Are they all writable?

    Is there any error event in the application log on the server or client?

    The user account should have the following permissions on the SELF, please run “DsAcls” to verify it:

    Allow NT AUTHORITY\SELF SPECIAL ACCESS for Personal Information

    WRITE PROPERTY

    READ PROPERTY

    Allow NT AUTHORITY\SELF SPECIAL ACCESS for Phone and Mail Options

    WRITE PROPERTY

    READ PROPERTY

    Allow NT AUTHORITY\SELF SPECIAL ACCESS for Web Information

    WRITE PROPERTY

    READ PROPERTY

    Allow NT AUTHORITY\SELF SPECIAL ACCESS

    READ PERMISSONS

    LIST CONTENTS

    READ PROPERTY

    LIST OBJECT

    Allow NT AUTHORITY\SELF Change Password

    Allow NT AUTHORITY\SELF Send As

    Allow NT AUTHORITY\SELF Receive As


    James Luo
    TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
    If you have any feedback on our support, please contact tngfb@microsoft.com
    • Marked as answer by Alan.Gim Monday, June 21, 2010 2:15 AM
    Thursday, June 17, 2010 6:58 AM

All replies

  • Hi,

    Wich version of Outlook do you use?
    Did you do a migration recently?

    I guess outlook 2007

    Can you try to "Rebuild" the gal in EMC and than download it again to your Outlook (Tools - Send/Receive - Download Addressbook).
    Try to go in online mode and renew the .ost file if possible before downloading the addressbook.

    Greetzz,

    Timmy

    Tuesday, June 15, 2010 7:51 AM
  • Outlook 2007, and this a fresh install of Exchange 2007.

    If I add the user as a domain admin that person can then publish his cert to the GAL.  SO rebuilding the GAL wouldnt work right.... This seems to be a permissions issue right?  I checked other domain users and they have the same error.

    Tuesday, June 15, 2010 12:45 PM
  • Please describe the AD topology, how many GC exist in the environment? Are they all writable?

    Is there any error event in the application log on the server or client?

    The user account should have the following permissions on the SELF, please run “DsAcls” to verify it:

    Allow NT AUTHORITY\SELF SPECIAL ACCESS for Personal Information

    WRITE PROPERTY

    READ PROPERTY

    Allow NT AUTHORITY\SELF SPECIAL ACCESS for Phone and Mail Options

    WRITE PROPERTY

    READ PROPERTY

    Allow NT AUTHORITY\SELF SPECIAL ACCESS for Web Information

    WRITE PROPERTY

    READ PROPERTY

    Allow NT AUTHORITY\SELF SPECIAL ACCESS

    READ PERMISSONS

    LIST CONTENTS

    READ PROPERTY

    LIST OBJECT

    Allow NT AUTHORITY\SELF Change Password

    Allow NT AUTHORITY\SELF Send As

    Allow NT AUTHORITY\SELF Receive As


    James Luo
    TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
    If you have any feedback on our support, please contact tngfb@microsoft.com
    • Marked as answer by Alan.Gim Monday, June 21, 2010 2:15 AM
    Thursday, June 17, 2010 6:58 AM