Problem: working with two users in a test environment, I see that both can send each other signed email. However:
*
- Alan Reid can send Alex Heyne encrypted emails
but
- the opposite is not true (Alex Heyne cannot send Alan Reid encrypted emails).
**
**
Environment: domain, Windows 2003 FFL
- 1 Windows 2008 R2 SP1 domain controller with ADDS and ADCS.
- 1 Exchange 2010 SP3 mail server
- Single CA (it's running on the domain controller)
- Client machine is Windows 7 SP1 with Outlook 2010 SP1
**
**
Preliminary notes:
- Duplicated the "Exchange User" template.
- General Tab of template: Yes, "Publish certificate in Active Directory"is checked.
- Request Handling tab: Purpose: Signature and encryption.
*
Other configured settings should be correct since...
- Users automatically obtain the certificate via Group Policy and autoenrollment.
- The certificate does appear in their user certificate store.
- It can be used to sign email messages. The resulting message has the "seal" or "medal" or "ribbon" icon that indicates that it is signed.
*
*
Besides verifying what preceeds:
- In ADSIEdit, the "userCertificate" attribute of both the sender and recipient is populated with a sequence of two digit numbers and back slashes.
This is the result of the certutil command I ran after reading this post:
C:\>certutil -verify -urlfetch certificatefile.crt
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
LoadCert(Cert) returned The system cannot find the file specified. 0x80070002 (W
IN32: 2)
CertUtil: -verify command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
*
That's the result for either user, even when I run as admin.
I'm going to try with other users right now.
Otherwise, how can I troubleshoot this beyond what I have already done?
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.