Error message when an Exchange 2003 Outlook Web Access client tries to send a digitally signed or encrypted e-mail message: "A digital ID that allows you to encrypt this message is missing"

When you try to send a digitally signed or encrypted e-mail message by using Microsoft Office Outlook Web Access, the message is not sent. Additionally, you receive one of the following error messages:

• Error message 1
  A digital ID that allows you to encrypt this message is missing. If your digital ID isn't trusted by the Exchange Server, you can't use it to encrypt messages. Ask your server administrator to have the issuer of the digital ID trusted, or send the message unencrypted. If you have smart card-based ID insert the card and try to send the message again.
• Error message 2
  You are attempting to sign the message with an invalid digital Id. The certificate chain that contains the digital ID was not created properly. Try sending without a digital signature.

This issue occurs because the trusted root certification authority (CA) certificate or the intermediate CA certificate for the issuer of the digital ID that you are using is not installed on the Microsoft Exchange Server 2003 front-end servers and back-end servers that are used for Outlook Web Access.

This issue can also occur if the following conditions are true:

• A certificate does not have an entry in the Subject Name of the Certficate that matches the SMTP address.
• A certificate is not published in the Active Directory directory service.

To resolve this issue, use one of the following methods.

Method 1: Use a Group Policy configuration

Use a Group Policy configuration to distribute certificates that will be trusted by all member computers of the domain. For more information about how to add a trusted root CA to a Group Policy object, visit the following Microsoft Web site:

Method 2: Manually install certificates

1. Use an account that has Domain Administrator credentials to log on to the Exchange server that is used for Outlook Web Access.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. Click Add.
5. Click Certificates, and then click Add.
6. Click My user account, and then click Finish.
7. Click Add, click Computer account, click Next, and then click Finish.
8. Click Close, and then click OK. The list of certificate categories for the local computer appears in the snap-in window.
9. Expand Certificates - Current User, right-click Intermediate Certification Authorities, point to All Tasks, and then click Import.
10. Use the wizard to import the file that you obtained from your CA.
11. Expand Certificates - Local Computer, right-click Intermediate Certification Authorities, point to All Tasks, and then click Import.
12. Use the wizard to import the file that you obtained from your CA.
13. Repeat steps 9 through 12 for the trusted root CA certificate.

Make sure that the Certificate Subject has an entry that corresponds to the user's e-mail address. For example, the entry might be: Or, you can publish the user's certificate to Active Directory. This is easy to do in Outlook by using the Publish to Gal option. An administrator can also publish the certificate from the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.

Exchange 2003 requires that you add the trust chain to the administrator account and to the local computer accounts. A trust chain can have more than one intermediate CA. After you add the trust chain, the certification path is available to Exchange Server. This allows for S/MIME to work successfully.