Microsoft KB Archive/927463

= Error message when an Exchange 2003 Outlook Web Access client tries to send a digitally signed or encrypted e-mail message: &quot;A digital ID that allows you to encrypt this message is missing&quot; =

Article ID: 927463

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition

-



SYMPTOMS
When you try to send a digitally signed or encrypted e-mail message by using Microsoft Office Outlook Web Access, the message is not sent. Additionally, you receive one of the following error messages:  Error message 1

A digital ID that allows you to encrypt this message is missing. If your digital ID isn't trusted by the Exchange Server, you can't use it to encrypt messages. Ask your server administrator to have the issuer of the digital ID trusted, or send the message unencrypted. If you have smart card-based ID insert the card and try to send the message again.

 Error message 2

You are attempting to sign the message with an invalid digital Id. The certificate chain that contains the digital ID was not created properly. Try sending without a digital signature.





CAUSE
This issue occurs because the trusted root certification authority (CA) certificate or the intermediate CA certificate for the issuer of the digital ID that you are using is not installed on the Microsoft Exchange Server 2003 front-end servers and back-end servers that are used for Outlook Web Access.



RESOLUTION
To resolve this issue, use one of the following methods.

Method 1: Use a Group Policy configuration
Use a Group Policy configuration to distribute certificates that will be trusted by all member computers of the domain. For more information about how to add a trusted root CA to a Group Policy object, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/Library/4b7ea7f9-311a-479b-aecc-c856165b97c11033.mspx

Method 2: Manually install certificates

 * 1) Use an account that has Domain Administrator credentials to log on to the Exchange server that is used for Outlook Web Access.
 * 2) Click Start, click Run, type mmc, and then click OK.
 * 3) On the File menu, click Add/Remove Snap-in.
 * 4) Click Add.
 * 5) Click Certificates, and then click Add.
 * 6) Click My user account, and then click Finish.
 * 7) Click Add, click Computer account, click Next, and then click Finish.
 * 8) Click Close, and then click OK. The list of certificate categories for the local computer appears in the snap-in window.
 * 9) Expand Certificates - Current User, right-click Intermediate Certification Authorities, point to All Tasks, and then click Import.
 * 10) Use the wizard to import the file that you obtained from your CA.
 * 11) Expand Certificates - Local Computer, right-click Intermediate Certification Authorities, point to All Tasks, and then click Import.
 * 12) Use the wizard to import the file that you obtained from your CA.
 * 13) Repeat steps 9 through 12 for the trusted root CA certificate.



MORE INFORMATION
Exchange 2003 requires that you add the trust chain to the administrator account and to the local computer accounts. A trust chain can have more than one intermediate CA. After you add the trust chain, the certification path is available to Exchange Server. This allows for S/MIME to work successfully.

Additional query words: xadm OWA

Keywords: kbexchowa kberrmsg kbprb kbtshoot KB927463

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.