Cannot access CRLs when the user's Exchange server lacks rights to access CRL distribution point

Problem description

This issue is similar to the issues discussed where the user's Exchange server is unable to access CRL distribution points. In this instance, however, although the user's Exchange server is able to connect to the CRL distribution point, it fails to download the CRL, because access to the CRL distribution point is restricted, and the LocalSystem account of the user's Exchange server has not been granted rights to access the CRL distribution point.

As in the previous scenarios, if a user's Exchange server is unable to retrieve CRLs, the user may be unable to send signed or encrypted e-mail messages, depending on the value of the CheckCRL registry key. For more information about this registry key, see "CheckCRL (DWord)" in Outlook Web Access S/MIME Control-Related Settings.

Resolution

To resolve this issue, explicitly grant permission for the LocalSystem account of the user's Exchange server to access the CRL distribution point. One way to allow this access is by granting the Exchange Enterprise Servers group read access to the CRL distribution point.

An alternative resolution for this problem would be to reconfigure the CRL distribution point, so that it does not require authentication.

Before pursuing either resolution, however, you should consult your organization's security policy.