none
Error Message: Cannot open this item. Your Digital ID name cannot be found by the underlying security system.

    Question

  • I have a couple of users who can send, receive, and open Signed and Encrypted message, but after 15 signed/encrypted emails they then get the error message: "Cannot open this item. Your Digital ID name cannot be found by the underlying security system."  We get this error after opening 12-16 emails then we can't send or open any encrypted emails.  Digitally signed emails still open and we are prompted by ActivClient Auto-Contact which is turned on.  Users are directed to say yes to the prompt which will save a contact.

    When I try to send an encrypted email I get the error message from Microsoft Office Outlook "An error occurred in the underlying security system. Not enough memory available to complete this command."

    When I exit out of Outlook and then reopen we are able to get another 12-16 encrypted emails.

    I watched which files are changing and found ExchangePerflog_<<numbers>>>.dat

    We just updated to Windows 7 from XP using Office 2007 and Exchange 2007, mixed mode Domain (2003 to 2008R2).  We are using DoD issued CAC (Smartcards) with ActivClient x64 6.2.0.108 and Microsoft CAPICOM 2.1.0.2 SDK with DLL registered. Smartcard enabled log on required.  Most of the user transitioned fine but there have been a few issues with not being able to publish to the GAL which I found was a permissions issue on the AD User Object (Account).  Some of the smartcards have email addresses that are not the same as the domain account.

     

    Thank you for your help,
    Dennis


    Dennis C. Varen Technologies
    Thursday, July 14, 2011 1:12 PM

Answers

  • William,

      Thank you for the help and it turns out that ActivClient 6.2 x64 build 6.2.0.119 FIXS1105002 fixed the issues which turned out to be two problems related to one.  The issue was when a web app was using CAPICOM to sign forms you would only get 5 approvals then the 6th would fail, then you could restart IE and get another 5.

    Hope this helps someone else out in the future,

    Dennis


    Dennis C. Varen Technologies
    Friday, July 22, 2011 11:08 AM

All replies

  • Hi

     

    Thank you for using Microsoft Office for IT Professionals Forums.

     

    Firstly, make sure have installed the last service package for Office/Windows/ExchangeServer/WindowsServer.

    Please refer to this KB article resolve this problem,

    “Outlook continues to use old certificates after you migrate from Key Management Server to Public Key Infrastructure”

    http://support.microsoft.com/kb/822504

     

    If the KB article cannot resolve this issue, we can follow these Steps to test this issue.

    1.       Start Outlook with Safe Mode

    2.       Turn off Cached Exchange Mode (Link to: http://office.microsoft.com/en-us/outlook-help/turn-on-or-off-cached-exchange-mode-HP001232935.aspx?CTT=1)

    3.       Delete a Digital ID (Link to: http://office.microsoft.com/en-us/outlook-help/delete-a-digital-id-HP001230535.aspx)

    4.       Get a digital ID (Link to:  http://office.microsoft.com/en-us/outlook-help/get-a-digital-id-HP001230537.aspx)

    5.       Test via OWA

    6.       Run the Detect and Repair feature (Link to: http://support.microsoft.com/kb/924611)

    7.       Create a new profile for Outlook

    8.       Create a new profile for Operating System (Windows  7)

    Note1: Whatever you do which step to solve this problem, Ignore the next steps.

    Nore2: If you do all of steps still cannot resolve this problems, we can almost ensure not Office client problem. Suggest you post this question to Exchange Server Forum or Windows Server forum for further support.

     

    Exchange Server Forum: http://social.technet.microsoft.com/Forums/en/category/exchangeserver/

    Windows Server Forum: http://social.technet.microsoft.com/Forums/en-us/category/windowsserver

     

    Please take your time to try the suggestions and let me know the results at your earliest convenience. If anything is unclear or if there is anything I can do for you, please feel free to let me know.

     

    Best Regards, 

     

    William Zhou

    Forum Support

    -----------------------------------------------------------------------------------------

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, July 18, 2011 2:24 AM
    Moderator
  • Hi,

     

    I am writing to see how everything is going with this issue. Is the problem resolved? If there is anything I can do for you, please feel free to let me know.

     

    Best Regards, 

     

    William Zhou

    Forum Support

    -----------------------------------------------------------------------------------------

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 19, 2011 1:46 AM
    Moderator
  • William,

      I was out Friday and Monday just getting in today and starting the testing.  I have tested a few of your ideas before submitting my question but not in the order you suggested so I will update later today.


    Dennis C. Varen Technologies
    Tuesday, July 19, 2011 11:11 AM
  • I've worked through all the steps and still unable to exceed the 15, on the 16th opening it fails.  I'm moving my question to the Windows forum.  Do you know what sub-system is being used by Outlook?  My guess is that it's using IE8 to pull certs from the local store or does it always pull from Active Directory when you open a message?  We have ActivClient install (x64) so I'm sure it plays a part as well.  I don't believe it's actually Outlook but the system Outlook is pulling from?

     


    Dennis C. Varen Technologies
    Wednesday, July 20, 2011 3:10 PM
  • A break through kind of.. I uninstalled the Middleware ActivClient and I am now able to open up more than 15 messages so something in their software is hindering this but now with it uninstalled I'm unable to send signed or encrypted messages.

    Any Thoughts? 

    Thank you,
    Dennis


    Dennis C. Varen Technologies
    Wednesday, July 20, 2011 3:55 PM
  • I'm sorry to hear that, for query regarding Middleware ActivClient , you can post your quest to Windows forum for further support.

    Best Regards, 

    William Zhou

    Forum Support

    -----------------------------------------------------------------------------------------

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 22, 2011 3:14 AM
    Moderator
  • William,

      Thank you for the help and it turns out that ActivClient 6.2 x64 build 6.2.0.119 FIXS1105002 fixed the issues which turned out to be two problems related to one.  The issue was when a web app was using CAPICOM to sign forms you would only get 5 approvals then the 6th would fail, then you could restart IE and get another 5.

    Hope this helps someone else out in the future,

    Dennis


    Dennis C. Varen Technologies
    Friday, July 22, 2011 11:08 AM
  • double check the user's Email on the the CAC and make sure its matching the ones listed on Exchange.

    The CAC office does tend to mess up the Email address (human error, it happens).. If this is the case, follow the below

    from the user's machine and with the user logged in,

    1. visit : https://www.dmdc.osd.mil/ump/umphome.htm
    2. click replace certificate
    3. Enter Pin
    4. under certificate type, select either Email signing or Email Encryption.. it doesnt matter which one, it will update both.

    Once cert is updated, delete the security profiles in outlook

    1. (trust center > email security > settings > delete... all of them)
    2. manually add the certificates
    3. [Security settings name] : username (or whatever)
    4. check on both [Default security setting .......]
    5. under "Certificates and Algorithms"
    6. [Signing Certificate > choose > use the user's current email certificate]
    7. [Encryption Certificate > choose > use the user's current email certificate]
    8. press ok
    9. Publish to GAL

    ---------------------------------------------

    Also, if the user received an encrypted email prior to the publishing of the new CAC cert, you'll have to recover the older encryption certificate.

    1. https://ara-1.c3pki.chamb.disa.mil/ara/Key
    • Choose the non email cert
    • find the cert needed
    • downloaded and import it
    • restart outlook

    Good luck!

    Friday, February 17, 2012 5:49 PM