000022551 - Keon Certificate Authority cannot publish certificate to Microsoft Exchange Server 2003  but end users can do so by using 'Publish to GAL' button in Outlook client

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022551
Applies ToKeon Certificate Authority 6.5.1
RSA Certificate Manager 6.6
Sun Solaris 2.6
Microsoft Exchange Server 2003
IssueKeon Certificate Authority cannot publish certificate to Microsoft Exchange Server 2003, but end users can do so by using "Publish to GAL" button in Outlook client
Since the user upgraded all Microsoft Exchange Servers to version 2003, the "Outlook Integration" step was unable to publish certificates. User changed the configuration to point to the domain controllers instead of the Exchange server, and changed the call to Outlook. PublishPKCS7toGAL to specify the version as "2000" instead of "5.5", but it always fails. If user manually clicks "Publish to GAL" button in Outlook client, it works fine.
CauseThe failure is caused by an invalid search filter used to search for the user object. The bad search filter assumes the user object has a DN structure that contains "CN=<user account>,CN=Users" (the default Active Directory user object DN structure); however, users may not use the default. For example, an Acme user has a DN like "CN=<LastName, FirstName>,OU=Bedford,OU=Acme-Users,OU=Acme-People,DC=NA,DC=ACME,DC=NET". The DN doesn't have a "CN=Users" field, so the search filter won?t be able to find the user object.

The correct search filter should search for the sAMAccountName attribute or mailNickname attribute instead. Certificate publishing is confirmed to be successful when the new filter is used.
ResolutionContact RSA Security Customer Support to request the following hot fixes, which contain the updated plugin version

- KCA 6.5.1 build 253 or higher

- RCM 6.6.1
Legacy Article IDa29118