Configuring AutoEnrollment for IME (internal Mail Encrytpion) - Outlook should get public keys from AD

Hi there,

actually I`m trying to configure AutoEnrollment for IME. After some little probes, the AutoEnrollment itself is working now.

I configured the AutoEnrollment with the help of this little "how-to":

http://openbook.galileo-press.de/windows_server_2008/windows_server_2008_kap_12_008.htm#mj8b7e4426553c206ff8c853aa7e66acf8

After I had configured the whole thing, the automatical enrollment - after domain logon - was working, but the certificates weren`t published to the Active Directory.

The following threat gave the final hint (" The CA was not in the cert publishers group in the domain where the user accounts live."):

http://social.technet.microsoft.com/Forums/windowsserver/en-US/ebeed46c-fcc5-46fa-803f-511ba9f24c0e/smime-autoenrollment-and-automatic-outlook-configurations?forum=winserversecurity

So the AutoEnrollment and the publishing of the certificates to AD is working now. Yeha!

The big problem I have now is, how the hell do I have to configure the Clients (Outlook 2010) so they get the public keys for the recepients, to encrypt the internal Mail exchange, automatically out of the Active Directory?!?!

I absolutely got no more idea. I want to enter the recipient, click on "encrypt" and then Outlook get`s the public key of the recipient out of the Active Directory, encrypts and finally sends the mail....That has to be possible or not?! Otherwise the publication of the certificates in Active Directory seems senseless to me.

I know, that I can write a mail with signature to the recipient, so she or he get`s my public key, but this is no option.

Here (http://technet.microsoft.com/de-de/library/cc772164.aspx) you can read the following (sorry if the translation is bad :) ):