|Applies To||Keon Certificate Authority 6.5.1|
RSA Certificate Manager 6.6
Sun Solaris 2.6
Microsoft Exchange Server 2003
|Issue||Keon Certificate Authority cannot publish certificate to Microsoft Exchange Server 2003, but end users can do so by using "Publish to GAL" button in Outlook client|
Since the user upgraded all Microsoft Exchange Servers to version 2003, the "Outlook Integration" step was unable to publish certificates. User changed the configuration to point to the domain controllers instead of the Exchange server, and changed the call to Outlook. PublishPKCS7toGAL to specify the version as "2000" instead of "5.5", but it always fails. If user manually clicks "Publish to GAL" button in Outlook client, it works fine.
|Cause||The failure is caused by an invalid search filter used to search for the user object. The bad search filter assumes the user object has a DN structure that contains "CN=<user account>,CN=Users" (the default Active Directory user object DN structure); however, users may not use the default. For example, an Acme user has a DN like "CN=<LastName, FirstName>,OU=Bedford,OU=Acme-Users,OU=Acme-People,DC=NA,DC=ACME,DC=NET". The DN doesn't have a "CN=Users" field, so the search filter won?t be able to find the user object.|
The correct search filter should search for the sAMAccountName attribute or mailNickname attribute instead. Certificate publishing is confirmed to be successful when the new filter is used.
|Resolution||Contact RSA Security Customer Support to request the following hot fixes, which contain the updated plugin version 188.8.131.52:|
- KCA 6.5.1 build 253 or higher
- RCM 6.6.1
|Legacy Article ID||a29118|