V3 and V1 Certs on sperate KMS servers

Simon · Joined: 06 Aug 2007 Posts: 1

Hi All,

Firstly this is a KMS problem on MSX 5.5 sites - couldnt
see a newsgroup for 5.5 so I am hopefully posting here Smile

I have been trying to figure out a way of enabling some
users in our Org to send SMIME message to another Org. Our
KMS is very old and still on NT4, and we have 500 users
with advanced security, plans to uprage to 2003 have
started but obviously take time and this is an urgent need
(isnt it always). Upgrading or swinging the existing KMS
server to new hardware at this stage seems risky from what
I have read.

So after trying to get the existing KMS server to work
with the Cert Web Agent and a remote win2K stand alone CA
with no sucess (Apparently it cant be done after I spoke
to support). I have come up with the idea of a a seperate
site for these users with its own KMS server running on
win2k with a stand alone root CA and issueing V1 and V3
certs.

After setting this up I have found that I can send
encrypted messages from the new site (KMS on Win2k), but
replying to this message or sedning a new one to a user in
the new site gives the error :
" Microsoft Outlook had problems encrypting this message
because the follwoing recipents had missing or invalid
certificates, or conflicting or unsupported encryption
capabilities"

I have added the new KMS servers CA cert to the old KMS
servers trusted CA's list.

My Question is really - Is this even possible (one KMS
server issues V3 and V1 certs the other just V1), and have
I missed anything ?

Many thanks in avance if anyone can shed light on this or
had done this in the past.

Thanks
Simon Eappariello

Archived from group: microsoft>public>exchange2000>kms

Dave Taylor · Joined: 06 Aug 2007 Posts: 2

Hi Simon,

I'm just wondering if you managed to work out how to do this - as my site is
now in a similar situation :

We have fully patched windowsxp clients, with outlook2003 running on
exchange 5.5. We have built our active directory, and we're currently in
the process of migrating from 5.5 to 2003. I have configured an encryption
certificate template on the Active Directory CA to autoenrol onto the xp
clients. (This template publishes the encryption cert to Active Directory).

Because our users are currently using the KMS within exchange 5.5, the
certificates that are "published to gal" via outlook are the kms ones (not
the S/MIME ones).

Ok, you know what's coming next ... even though I create an 'S/MIME
profile' within outllook (so that I have a kms profile and an smime
profile), if I try to send an encrypted email to someone else who I've setup
with an SMIME encryption cert (stored in AD), I get the 'user has missing or
invalid certificates' message ...

Question : Is it possible via registry key or some other method (I've
already tried the MsgFormats=3 registry key with no success) for outlook2003
to be able to look for a recipients KMS cert (if I am sending in this
method) form the GAL or automatically look in A/D for an S/MIME cert if I am
sending using this method ???

Any help or comments appreciated.

Dave Taylor.

"Simon" wrote in message$23c79630$a001280a@phx.gbl...
> Hi All,
>
> Firstly this is a KMS problem on MSX 5.5 sites - couldnt
> see a newsgroup for 5.5 so I am hopefully posting here Smile

>
> I have been trying to figure out a way of enabling some
> users in our Org to send SMIME message to another Org. Our
> KMS is very old and still on NT4, and we have 500 users
> with advanced security, plans to uprage to 2003 have
> started but obviously take time and this is an urgent need
> (isnt it always). Upgrading or swinging the existing KMS
> server to new hardware at this stage seems risky from what
> I have read.
>
> So after trying to get the existing KMS server to work
> with the Cert Web Agent and a remote win2K stand alone CA
> with no sucess (Apparently it cant be done after I spoke
> to support). I have come up with the idea of a a seperate
> site for these users with its own KMS server running on
> win2k with a stand alone root CA and issueing V1 and V3
> certs.
>
> After setting this up I have found that I can send
> encrypted messages from the new site (KMS on Win2k), but
> replying to this message or sedning a new one to a user in
> the new site gives the error :
> " Microsoft Outlook had problems encrypting this message
> because the follwoing recipents had missing or invalid
> certificates, or conflicting or unsupported encryption
> capabilities"
>
> I have added the new KMS servers CA cert to the old KMS
> servers trusted CA's list.
>
> My Question is really - Is this even possible (one KMS
> server issues V3 and V1 certs the other just V1), and have
> I missed anything ?
>
> Many thanks in avance if anyone can shed light on this or
> had done this in the past.
>
> Thanks
> Simon Eappariello

Dave Taylor · Joined: 06 Aug 2007 Posts: 2

Hi All,

With the help of M/S, I've finally got an understanding of what's going on
.... For the benefit of other users in the same boat ...

The problem occurs because Outlook first checks the userSMIMECertificate
attribute in AD for a certificate, before checking userCertificate. KMS
publishes certificates to the userSMIMECertificate attribute and Win2K3 PKI
publishes certificates to the userCertificate attribute.

See the following articles for details:

http://support.microsoft.com/default.aspx?scid=kb;en-us;822504&Product=out

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx

Regards,
Dave

"Dave Taylor" wrote in message$1@eumel.hag.hilti.com...
> Hi Simon,
>
> I'm just wondering if you managed to work out how to do this - as my site
is
> now in a similar situation :
>
> We have fully patched windowsxp clients, with outlook2003 running on
> exchange 5.5. We have built our active directory, and we're currently in
> the process of migrating from 5.5 to 2003. I have configured an
encryption
> certificate template on the Active Directory CA to autoenrol onto the xp
> clients. (This template publishes the encryption cert to Active
Directory).
>
> Because our users are currently using the KMS within exchange 5.5, the
> certificates that are "published to gal" via outlook are the kms ones (not
> the S/MIME ones).
>
> Ok, you know what's coming next ... even though I create an 'S/MIME
> profile' within outllook (so that I have a kms profile and an smime
> profile), if I try to send an encrypted email to someone else who I've
setup
> with an SMIME encryption cert (stored in AD), I get the 'user has missing
or
> invalid certificates' message ...
>
> Question : Is it possible via registry key or some other method (I've
> already tried the MsgFormats=3 registry key with no success) for
outlook2003
> to be able to look for a recipients KMS cert (if I am sending in this
> method) form the GAL or automatically look in A/D for an S/MIME cert if I
am
> sending using this method ???
>
>
> Any help or comments appreciated.
>
>
> Dave Taylor.
>
>
>
>
> "Simon" wrote in message
> $23c79630$a001280a@phx.gbl...
> > Hi All,
> >
> > Firstly this is a KMS problem on MSX 5.5 sites - couldnt
> > see a newsgroup for 5.5 so I am hopefully posting here Smile

> >
> > I have been trying to figure out a way of enabling some
> > users in our Org to send SMIME message to another Org. Our
> > KMS is very old and still on NT4, and we have 500 users
> > with advanced security, plans to uprage to 2003 have
> > started but obviously take time and this is an urgent need
> > (isnt it always). Upgrading or swinging the existing KMS
> > server to new hardware at this stage seems risky from what
> > I have read.
> >
> > So after trying to get the existing KMS server to work
> > with the Cert Web Agent and a remote win2K stand alone CA
> > with no sucess (Apparently it cant be done after I spoke
> > to support). I have come up with the idea of a a seperate
> > site for these users with its own KMS server running on
> > win2k with a stand alone root CA and issueing V1 and V3
> > certs.
> >
> > After setting this up I have found that I can send
> > encrypted messages from the new site (KMS on Win2k), but
> > replying to this message or sedning a new one to a user in
> > the new site gives the error :
> > " Microsoft Outlook had problems encrypting this message
> > because the follwoing recipents had missing or invalid
> > certificates, or conflicting or unsupported encryption
> > capabilities"
> >
> > I have added the new KMS servers CA cert to the old KMS
> > servers trusted CA's list.
> >
> > My Question is really - Is this even possible (one KMS
> > server issues V3 and V1 certs the other just V1), and have
> > I missed anything ?
> >
> > Many thanks in avance if anyone can shed light on this or
> > had done this in the past.
> >
> > Thanks
> > Simon Eappariello
>
>

OWA across servers. Hi folks, I've had OWA running fine for quite a while now. Exchange 5.5 on an NT server. This server hosted both Exchange and our web site (IIS 4.0). Now, as a first step in I've moved the web site to different server running Windows Se

Two servers one IP I have two different domains behind one public IP. I have two different servers running their own exchange server 2000. abc.com and xyz.com. Both connect to same gateway and firewall. One server is running exchange server fine, I need to configure the sec

Exchange servers I have two exchange servers in the same domain connected via a VPN link. Exchange1 receives all email for DOMAIN.COM I have a single account - my new account - on Exchange2 and I can send emails to anybody anywhere perfectly and instantly. I cannot, howe

upgrading servers Hello, i have the following scenario. I came upon this client after other IT people were fired, and this whole setup seems to have been set up very inneficiently from the start. My client is running 2 servers. First server is running windows server 2003

Redundant HUB and edge servers Can I setup HUB Transport, CAS and UM server's on same box with redundancy. > Please let me know how I can build redundancy with all the three roles > running on the same box. > > I will be running Traditional cluster for mailbox server on a separate box