Different certificates used when using Outlook and Outlook Web Access with S/MIME control

Problem description

In Active Directory, there are two attributes where the S/MIME digital certificates can be stored: the userCertificate attribute and the userSMIMECertificate attribute. By default, Outlook looks first to the userSMIMECertificate attribute, and uses any viable S/MIME certificate found in that attribute. By default, Outlook Web Access looks first to the userCertificate attribute, and uses any viable S/MIME certificate found in that attribute.

If different digital certificates are stored in the userCertificate and userSMIMECertificate attributes, it is possible for Outlook and Outlook Web Access to use different digital certificates because they each look at different Active Directory attributes.

Resolution

To resolve this issue, ensure that the same certificates are stored in both the userCertificate and userSMIMECertificate attributes. For more information, see Microsoft Knowledge Base article 822504, "Outlook 2003 Continues to Use Old Certificates After You Migrate from Key Management Server to Public Key Infrastructure."