PDA

View Full Version : published certificates in outlook use order

Andrey Kreitor
Hi,
Please let me know which one of the published in AD certificates
Outlook does use? For example a user may have multiple certificates
published in AD.
I know, first it looks at usersmime...attribute, then usercertificate
attr.

How to assign a "default certificate" in AD for a particular account ?
Steven L Umbach
I believe the user account will use the first available certificate that can
authenticate the user if there is more than one certificate that can be
used. I don't know if you can create a default certificate and am not sure
of what the advantage of that would be anyhow. If you have users that have
certificates that they are not supposed to have you may have to revoke their
certificates and review who has permissions to enroll for certificates which
you can manage in AD Sites and Services but you will have to select view and
enable the services node to access the certificate templates. --- Steve


"Andrey Kreitor" wrote in message
news:670d9223.0410070632.41a0b513@posting.google.com...
> Hi,
> Please let me know which one of the published in AD certificates
> Outlook does use? For example a user may have multiple certificates
> published in AD.
> I know, first it looks at usersmime...attribute, then usercertificate
> attr.
>
> How to assign a "default certificate" in AD for a particular account ?


Andrey Kreitor
Hi,
Sometimes operations like cert revoking, crls publishing are quite
time consuming, preceding exchange kms installations with non
recoverable private keys etc... and i need that users would be
e-mailed with "right" certs :)

it seems when i click "publish in gal" button in outlook, the
certificate i use at this very moment becomes the first available for
other AD users. Am i right?

I tried to clear users' cert attributes via ADSI edit, but something
goes wrong and mmc console just hangs and quits after all... Probably
there is some kind of script?

Thanks in advance.




"Steven L Umbach" wrote in message news:<4Xh9d.200057$MQ5.98887@attbi_s52>...
> I believe the user account will use the first available certificate that can
> authenticate the user if there is more than one certificate that can be
> used. I don't know if you can create a default certificate and am not sure
> of what the advantage of that would be anyhow. If you have users that have
> certificates that they are not supposed to have you may have to revoke their
> certificates and review who has permissions to enroll for certificates which
> you can manage in AD Sites and Services but you will have to select view and
> enable the services node to access the certificate templates. --- Steve
>
>
> "Andrey Kreitor" wrote in message
> news:670d9223.0410070632.41a0b513@posting.google.com...
> > Hi,
> > Please let me know which one of the published in AD certificates
> > Outlook does use? For example a user may have multiple certificates
> > published in AD.
> > I know, first it looks at usersmime...attribute, then usercertificate
> > attr.
> >
> > How to assign a "default certificate" in AD for a particular account ?
Steven L Umbach
Hi Andrey.

I am not familiar with Outlook so I can't really advise on that. You might
also want to post in an Outlook and/or Exchange newsgroup. --- Steve


"Andrey Kreitor" wrote in message
news:670d9223.0410072056.3a3d96fe@posting.google.com...
> Hi,
> Sometimes operations like cert revoking, crls publishing are quite
> time consuming, preceding exchange kms installations with non
> recoverable private keys etc... and i need that users would be
> e-mailed with "right" certs :)
>
> it seems when i click "publish in gal" button in outlook, the
> certificate i use at this very moment becomes the first available for
> other AD users. Am i right?
>
> I tried to clear users' cert attributes via ADSI edit, but something
> goes wrong and mmc console just hangs and quits after all... Probably
> there is some kind of script?
>
> Thanks in advance.
>
>
>
>
> "Steven L Umbach" wrote in message
> news:<4Xh9d.200057$MQ5.98887@attbi_s52>...
>> I believe the user account will use the first available certificate that
>> can
>> authenticate the user if there is more than one certificate that can be
>> used. I don't know if you can create a default certificate and am not
>> sure
>> of what the advantage of that would be anyhow. If you have users that
>> have
>> certificates that they are not supposed to have you may have to revoke
>> their
>> certificates and review who has permissions to enroll for certificates
>> which
>> you can manage in AD Sites and Services but you will have to select view
>> and
>> enable the services node to access the certificate templates. --- Steve
>>
>>
>> "Andrey Kreitor" wrote in message
>> news:670d9223.0410070632.41a0b513@posting.google.com...
>> > Hi,
>> > Please let me know which one of the published in AD certificates
>> > Outlook does use? For example a user may have multiple certificates
>> > published in AD.
>> > I know, first it looks at usersmime...attribute, then usercertificate
>> > attr.
>> >
>> > How to assign a "default certificate" in AD for a particular account ?


=?Utf-8?B?QXlkaW5L?=
Hi,
you can use ListSMIMECerts.vbs script to delete all the smime certificates.
You can find it from the following link :
http://www.microsoft.com/downloads/details.aspx?FamilyID=2305405C-FAF1-488A-A856-AD467BB59B26&displaylang=en

I think you can have a look at
"Implementing and Maintaining PKI to Support Message Security in Exchange
2003"
it may help you to understand the search order of the attributes related to
the certificates. And some differences between email client behaviours.
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSecGuide/0df107e5-8f2c-42d2-9a4c-165f99108c48.mspx

AydinK

"Andrey Kreitor" wrote:

> Hi,
> Sometimes operations like cert revoking, crls publishing are quite
> time consuming, preceding exchange kms installations with non
> recoverable private keys etc... and i need that users would be
> e-mailed with "right" certs :)
>
> it seems when i click "publish in gal" button in outlook, the
> certificate i use at this very moment becomes the first available for
> other AD users. Am i right?
>
> I tried to clear users' cert attributes via ADSI edit, but something
> goes wrong and mmc console just hangs and quits after all... Probably
> there is some kind of script?
>
> Thanks in advance.
>
>
>
>
> "Steven L Umbach" wrote in message news:<4Xh9d.200057$MQ5.98887@attbi_s52>...
> > I believe the user account will use the first available certificate that can
> > authenticate the user if there is more than one certificate that can be
> > used. I don't know if you can create a default certificate and am not sure
> > of what the advantage of that would be anyhow. If you have users that have
> > certificates that they are not supposed to have you may have to revoke their
> > certificates and review who has permissions to enroll for certificates which
> > you can manage in AD Sites and Services but you will have to select view and
> > enable the services node to access the certificate templates. --- Steve
> >
> >
> > "Andrey Kreitor" wrote in message
> > news:670d9223.0410070632.41a0b513@posting.google.com...
> > > Hi,
> > > Please let me know which one of the published in AD certificates
> > > Outlook does use? For example a user may have multiple certificates
> > > published in AD.
> > > I know, first it looks at usersmime...attribute, then usercertificate
> > > attr.
> > >
> > > How to assign a "default certificate" in AD for a particular account ?
>