Cannot send encrypted message in Outlook Web Access S/MIME when the recipient's encryption certificate is missing from Active Directory or the Contacts folder
Problem description
To successfully send an encrypted e-mail message, the sender must have the recipient's encryption certificate available as the message is sent. Outlook Web Access S/MIME can use a recipient's encryption certificate if it is present either in Active Directory or in the sender's Contacts folder. If Outlook Web Access S/MIME is unable to retrieve the recipient's encryption certificate when the message is sent, an error will be logged.
Note
Although Outlook Web Access can use a digital certificate that is attached to an item in the Contacts folder in Exchange, you cannot add a digital certificate to an item in the Contacts folder using Outlook Web Access. Instead, you must use Outlook to add a digital certificate to a contact.
Resolution
To resolve this issue, make the recipient's encryption certificate available either in Active Directory or in the sender's Contacts folder. To make the recipient's encryption certificate available in Active Directory, do either of the following:
Make the certificate available as part of the digital certificate enrollment process.
Manually import the recipient's encryption certificate into the userCertificate attribute of the user's object in Active Directory. For detailed steps, see How to Manually Import a Recipient's Encryption Certificate into the userCertificate Attribute of the User's Object in Active Directory.
To install the encryption certificate as part of the enrollment process, you should check with the PKI administrator to determine the enrollment process for your organization, and then use that process to install the recipient's encryption certificate in the personal certificate store on the Outlook Web Access computer.