S/MIME Certificate Issues in Entourage

[rma]

Hi all,

I recently moved over to Entourage from Outlook in an Exchange
environment and am having lots of problems getting secure email using
digital certificates to work.

What I know:

* My certificate in Active Directory is correct and up to date

* My digital certificates were installed using the MS Certificate
Manager in Mac OS X 10.4.8

* My digital certificates are active and valid according to Keychain
access.

* My digital certificates are stored in the login keychain (that is
where the MS tool put them)

* My corporation's root certificate is stored in X.509 Anchors

* If someone uses Outlook to send me an encrypted email when I try to
open it I get a "There was an error processing this secure message" and
an smime.p7m is attached to the email.

* I can open the same email, that won't open in entourage, using
another Outlook client or my blackberry using the exact same
certificates that are installed on my mac

* If somone uses a blackberry to send me an encrypted message, it works
fine in entourage and other clients.

* If someone else uses Entourage to send me an encrypted message, it
works fine in entourage and other clients.

* If I send an encrypted email to myself from Outlook and open my
exchange inbox with Entourage, I can't open the email.

* If I send an encrypted email to myself from Entourage I can open the
email.

* Individuals using Outlook to send me emails have deleted all
cached/older copies of my certificate using the windows certificate
manager or from within outlook attached to my contact entry. This
would, presumably, force the client to re-fetch the certificate from
the AD. Still no luck.


So basically, encrypted emails sent by anyone using Outlook (which is
basically everyone) won't open in Entourage. I get the smime.p7m
attachment and a decryption error.

I'm out of ideas. Other thoughts on what I am doing wrong and what I
should check?

Thanks!

 

[Diane Ross]

I recently moved over to Entourage from Outlook in an Exchange
environment and am having lots of problems getting secure email using
digital certificates to work.

Check out the section " Getting Started with S/MIME on Entourage"

<http://www.entourage.mvps.org/smime/index.html>

--
Diane Ross, Microsoft Mac MVP
Entourage Help Page
<http://www.entourage.mvps.org/>
The Entourage Blog lists the EHP as one of the top five Microsoft Entourage
resources.
<http://blogs.msdn.com/entourage/>

 

[rma]

Thanks Diane.

Check out the section " Getting Started with S/MIME on Entourage"

<http://www.entourage.mvps.org/smime/index.html>

I have consulted this and many other "how-to" guides with no luck. My
original post describes in detail what is working and what isn't
working. Any other ideas? Appreciate your help.

 

[Diane Ross]

I have consulted this and many other "how-to" guides with no luck. My
original post describes in detail what is working and what isn't
working. Any other ideas? Appreciate your help.

Since I do not use exchange my ability to help is limited. Hopefully someone
else with more experience will chime in soon.

--
Diane Ross, Microsoft Mac MVP
Entourage Help Page
<http://www.entourage.mvps.org/>
The Entourage Blog lists the EHP as one of the top five Microsoft Entourage
resources.
<http://blogs.msdn.com/entourage/>

 

[Corentin Cras-Méneur]

Hi all,
Hi,

I recently moved over to Entourage from Outlook in an Exchange
environment and am having lots of problems getting secure email using
digital certificates to work.

What I know:

* My certificate in Active Directory is correct and up to date
Good.

* My digital certificates were installed using the MS Certificate
Manager in Mac OS X 10.4.8
Good

* My digital certificates are active and valid according to Keychain
access.

It means the Cert manager did its work and the cert is properly
registered in the system.

* My digital certificates are stored in the login keychain (that is
where the MS tool put them)

same thing,

* My corporation's root certificate is stored in X.509 Anchors

Good.

Have you tried Keychain first Aid in the menus of the Keychain app to
make sure the certificates were not corrupted in any way??

* If someone uses Outlook to send me an encrypted email when I try to
open it I get a "There was an error processing this secure message" and
an smime.p7m is attached to the email.

Do you have the sender's public certificate in your e-mails?? You'll
need that to decrypt an e-mail. You could import it manually (find an
e-mail sent by the same person with a digital signature and wit a bit of
luck it'll have his public cert that yopu can import by a simple click).

* I can open the same email, that won't open in entourage, using
another Outlook client or my blackberry using the exact same
certificates that are installed on my mac

Well any chance you have the sender's cert there?

The way it works is the following: the sender must have your public
cert. Your public cert is used to encode the message. On your side, you
will need the sender's public key to open the message sent for you with
your public key.

* If somone uses a blackberry to send me an encrypted message, it works
fine in entourage and other clients.

* If someone else uses Entourage to send me an encrypted message, it
works fine in entourage and other clients.

It makes sense.

* If I send an encrypted email to myself from Outlook and open my
exchange inbox with Entourage, I can't open the email.

Now that's really really weird. You should have your own cert in your
keychain so it shouldn't be an issue (unless you have two differnet
certs). What happens if you send a signed e-mail to yourself from
Outlook and open it in Entourage ?? Is the signature valid?? Do you have
the option to import the cert??

* If I send an encrypted email to myself from Entourage I can open the
email.

This makes sense (and makes me suspect even more that you might have -
without even knowing it - two different certificates. It could also
explain why you can't open the encrypted messages sent to you: they are
encrypted using the public key corresponding to the account you have on
Outlook on the other machine.

* Individuals using Outlook to send me emails have deleted all
cached/older copies of my certificate using the windows certificate
manager or from within outlook attached to my contact entry. This
would, presumably, force the client to re-fetch the certificate from
the AD. Still no luck.

Yeah, that's the part I'm not familiar with... I don't use AD and have
no idea how the certificate is being pulled from there :-\

So basically, encrypted emails sent by anyone using Outlook (which is
basically everyone) won't open in Entourage. I get the smime.p7m
attachment and a decryption error.

Try the following:
find someone who doesn't have your cert on his PC (or delete it from the
PC).
send this person a signed e-mail from Entourage and let him import your
public cert from this e-mail. Ask the person to then send you an
encryted e-mail to ENtourage.

I hope that's it... Otherwise I have no idea what could be wrong,


Corentin

 

[Corentin Cras-Méneur]

Since I do not use exchange my ability to help is limited. Hopefully someone
else with more experience will chime in soon.

It's not an Exchange issue Diane. It looks more related to Active
Directory.
Anyway, I tried to answer the best I could (directly to the first post).


Corentin

 

[rma]

It's not an Exchange issue Diane. It looks more related to Active

Directory.
Anyway, I tried to answer the best I could (directly to the first post).


Corentin

Thanks everyone for your comments. I have done lots more testing and I
am nearly convinced it is a bug in Entourage.

Corentin, I previously tried your suggestions and unfortunately those
didn't work either.

My new tests:

* If I open my Exchange inbox with Entourage there are encrypted emails
that won't open, instead giving an error as noted earlier in this
thread.

* If I open my Exchange inbox with Mail.app I can open the exact
encrypted emails with no problems. Mail.app and Entourage are both
using keychain for the certificates (they are using the same
certificates) so this really leads me to believe this is a bug in
Entourage.

* I saved the raw source from Mail.app and Entourage for the exact same
email. I exchanged headers and then reopened the file in Entourage,
still doesn't work. So the email header is not the issue.

* I then saved the raw source from Entourage of an encrypted email that
does open in Entourage. I swapped the data section (base64 encoded)
from this saved email with the data section from another saved
encrypted Entourage email (that doesn't open in Entourage). The
resultant email now opens in Entourage. To me, this means that there
is something in the base64 encoded data section that Entourage is not
properly parsing.

I think I have eliminated certificates, exchange and AD as being
issues. All of my testing now leads me to believe there is a bug in
the Entourage S/MIME parser.