"Your Digital ID Name Cannot be Found"

rev michael · External Since: May 11, 2007 Posts: 5

"Your digital ID name cannot be found by the underlying security system".
This is the error message I continually receive whenever I try to send a
signed email.

I purchased and loaded a VeriSign Digital ID. All went well. Everything
seems to be in place where it should be. Loaded in IE and associated with
Outlook. This is all on my stand-alone home computer running a DSL connection.

Windows XP
IE7
SP2
Outlook 2003

I have written VeriSign abpout this error and have mostly received form
responses refering to help pages on their site. I have followed all the
advice and still no remedy.

Has anyone run into this issue and had it resolved, so that the Verisign ID
will work with signing outgoing email?

Any advice would be appreciated.

Michael

Brian Tillman · External Since: Mar 29, 2005 Posts: 20862

rev michael <revmichael DeleteThis @discussions.microsoft.com> wrote:

> "Your digital ID name cannot be found by the underlying security
> system". This is the error message I continually receive whenever I
> try to send a signed email.
>
> I purchased and loaded a VeriSign Digital ID. All went well.
> Everything
> seems to be in place where it should be. Loaded in IE and associated
> with Outlook. This is all on my stand-alone home computer running a
> DSL connection.

Describe the exact steps you took to load the ID and "associate" it with
Outlook.
--
Brian Tillman

rev michael · External Since: May 11, 2007 Posts: 5

"Brian Tillman" wrote:

> Describe the exact steps you took to load the ID and "associate" it with
> Outlook.
--
Brian Tillman

Brian -

Thank you for your response to my issue. As a novice to all this I will try
to do my best in explaining the steps taken and the error encountered.

Initial Purchase and Procedure:
* I purchased a VeriSign Digital ID, for the purpose of “signing” and
“encrypting” out-going email messages
* after the initial purchase process, I received an email from VeriSign with
Digital ID Pin #. I highlighted and copied this pin
* I then went to the VeriSign Digital ID Center, and pasted the pin in the
appropriate field and then submitted it for installation
* the installation process proceeded and a final message was received that
the VeriSign Digital ID had been properly installed in my system
* I went to IE7/Tools/Internet Options/Content/Certificates and assured that
my digital ID had been installed. It was listed there
* I then followed the instructions from the VeriSign “What Do You Do Next?”
page, and associated my new ID with my email program, which is Outlook 2003
* in Outlook I went to Tools/Options/Security tab
* I then chose my digital ID for “signing” emails. My digital ID was
properly listed in the choice list (it was the only one listed). I repeated
this for choosing my digital ID for “encrypting” emails
* theoretically, I should be all set to go at this point

The Error Encountered:
* I opened a new email message - wrote my message - chose my intended
recipients - then clicked the “sign” email button in my Outlook toolbar - and
then clicked on Send.
* after a long pause I then received the error message, “Your digital ID
name cannot be found by the underlying security system”

Steps Taken to Try to Correct The Error:
* I checked IE7 to assure that my certificate was still listed - it was
* I double-checked Outlook to assure that my cert was still chosen for
signing and encrypting - they were
* I have had many email exchanges with VeriSign ID support. Received back
mostly form letters stating that I had not followed instructions and
“associated” my ID with Outlook
* I have replaced the original certificate three times, but have continued
to encounter the exact same error issue
* the first time I replaced the original certificate, I simply went to the
appropriate VeriSign page - and selected replacement of certificate. I
followed the proper install/association steps, as outlined above. Still
encounter the same error message
* before the next two replacements, I first deleted my existing certificate
in IE7, and then checked Outlook to assure that the certificate was still not
listed. It was not. I then replaced the cert. Again all steps seemed to work
as they should. However, I still encountered the same error message.

Side Fact:
* Several months ago I had first downloaded and installed (using the above
mentioned steps) a “trial” version of the digital ID. It all worked great.
Whenever I used the feature, all went as it should, and I never encountered
any error messages of any kind. It has only been since an installation of a
full new certificate that this same error of “Your digital ID name cannot be
found by the underlying security system” keeps occurring.

As posted earlier, my OS and programs are:
* XP (w/the latest SP2)
* IE7
* Outlook 2003

I trust that these details may be somewhat helpful in attempts to resolve
this error issue. I certainly appreciate all the help I can received from
those more technical experts than myself.

Again, thank you in advance for all your assistance with this frustrating
problem.

Michael

Brian Tillman · External Since: Mar 29, 2005 Posts: 20862

rev michael <revmichael DeleteThis @discussions.microsoft.com> wrote:

> Initial Purchase and Procedure:
....snip...

That should be correct. One thing I'd like to to check, though. In
IE>Tools>Internet Options>Content>Certificates, select yuor certificate,
click Export, then Next. Make sure you have two radio buttons, one to
exporting the private key and one to not export it. Make sure they are both
active. (Were I you, I'd select the button to export the private key and
continue the export process so that I had a copy of my key in a file. I'd
also put a copy on a diskette and, perhaps, on a memory stick so that I had
a copy in case something were to happen to my PC.)

> The Error Encountered:
> * I opened a new email message - wrote my message - chose my intended
> recipients - then clicked the “sign” email button in my Outlook toolbar -
> and
> then clicked on Send.
> * after a long pause I then received the error message, “Your digital ID
> name cannot be found by the underlying security system”
....snip...
> Steps Taken to Try to Correct The Error:
....snip...
> Side Fact:
....snip...

Well, you've done everything I can think of with one exception: a new
WIndows user profile. A bit of overkill, perhaps, though. Sorry I can't be
more helpful.
--
Brian Tillman

rev michael · External Since: May 11, 2007 Posts: 5

Brian -

You have been very helpful, although the issue has not been rectified yet.

I followed your advice to export the newly replaced certificate (yes, I
tryied that again - a replacement cert). When doing so I found that the
export private key radio button was dimmed, and received the message that the
export wizard could not locate the private key. I am back with emails to
VeriSign to find out what is happening with the private key, and hope to hear
back from them tomorrow (5/16).

Based upon what I just shared, is there any explanations you can offer?

Thanks for hanging in there with me. Because of your suggestion I at least
might have another clue into the mystery.

Again, Thanks!

Michael

"Brian Tillman" wrote:

> rev michael <revmichael.DeleteThis@discussions.microsoft.com> wrote:
>
> > Initial Purchase and Procedure:
> ....snip...
>
> That should be correct. One thing I'd like to to check, though. In
> IE>Tools>Internet Options>Content>Certificates, select yuor certificate,
> click Export, then Next. Make sure you have two radio buttons, one to
> exporting the private key and one to not export it. Make sure they are both
> active. (Were I you, I'd select the button to export the private key and
> continue the export process so that I had a copy of my key in a file. I'd
> also put a copy on a diskette and, perhaps, on a memory stick so that I had
> a copy in case something were to happen to my PC.)
>
> > The Error Encountered:
> > * I opened a new email message - wrote my message - chose my intended
> > recipients - then clicked the “sign” email button in my Outlook toolbar -
> > and
> > then clicked on Send.
> > * after a long pause I then received the error message, “Your digital ID
> > name cannot be found by the underlying security system”
> ....snip...
> > Steps Taken to Try to Correct The Error:
> ....snip...
> > Side Fact:
> ....snip...
>
> Well, you've done everything I can think of with one exception: a new
> WIndows user profile. A bit of overkill, perhaps, though. Sorry I can't be
> more helpful.
> --
> Brian Tillman
>
>

Brian Tillman · External Since: Mar 29, 2005 Posts: 20862

rev michael <revmichael.DeleteThis@discussions.microsoft.com> wrote:

> I followed your advice to export the newly replaced certificate (yes,
> I tryied that again - a replacement cert). When doing so I found that
> the export private key radio button was dimmed, and received the
> message that the export wizard could not locate the private key. I am
> back with emails to VeriSign to find out what is happening with the
> private key, and hope to hear back from them tomorrow (5/16).

That's a sign that your certificate was damaged somehow and could very well
account for the error.
--
Brian Tillman

rev michael · External Since: May 11, 2007 Posts: 5

Brian -

Well, I emailed VeriSign and advised them of the damaged certificate with
missing private key. Their reply was:

"Unfortunately, VeriSign only issues the license or certificate. If you are
having issues with the certificate with your mail software, please contact
you mail software vendor directly."

In short it seems that they claim that the cert, which I have replaced
several times now, is not damaged, and that it is only my system that is
screwing the process up. I have followed their directions to the "T", and
have associated the cert according to their specifications. I don't see where
I am going wrong here. Yet, everytime I try to export my installed cert to
another safe place, as you suggested, the wizard tells me that it cannot find
the private key.

Can it be that my Outlook 2003 only is causing the problem? I find that hard
to believe, since the wizard cannot find the private key even "before" I
associate it with Outlook.

Any other suggestions, or is this just a lost cause?

Thanks for the help. It is appreciated.

Michael

"Brian Tillman" wrote:

> rev michael <revmichael DeleteThis @discussions.microsoft.com> wrote:
>
> > I followed your advice to export the newly replaced certificate (yes,
> > I tryied that again - a replacement cert). When doing so I found that
> > the export private key radio button was dimmed, and received the
> > message that the export wizard could not locate the private key. I am
> > back with emails to VeriSign to find out what is happening with the
> > private key, and hope to hear back from them tomorrow (5/16).
>
> That's a sign that your certificate was damaged somehow and could very well
> account for the error.
> --
> Brian Tillman
>
>

rev michael · External Since: May 11, 2007 Posts: 5

Brian -

I don't know what to think. As another course of action, I subscribed to a
didgital id from another source, other than VeriSign, and received the exact
same results, when installing/associating.

Maybe it is some setting in my IE7, that does not allow in import of the
private key with the cert.

Michael

Brian Tillman · External Since: Mar 29, 2005 Posts: 20862

rev michael <revmichael RemoveThis @discussions.microsoft.com> wrote:

> I don't know what to think. As another course of action, I subscribed
> to a didgital id from another source, other than VeriSign, and
> received the exact same results, when installing/associating.
>
> Maybe it is some setting in my IE7, that does not allow in import of
> the private key with the cert.

We get certs from VeriSign and all allow the exportation of the private key,
except for those who decided not to back up their certs as I told them to
when they requested one, and then changed their PC or user account and
wonder why they can't read encrupted mail any more. I use IE7 and don't
have the problem you describe.

While I don't understand the underlying data structures of the crytpo store
IE uses, may things can go wrong. With about 150 people here having
certificates, I've run into a lot of them. Unless you have your own PKI
infrastructure with private key recovery, certs tend to be fragile, at least
in my opinion. Your symptoms sound to me like a damaged WIndows user
profile. Is there any way you could try this with a new Windows user? You
might have to get a new cert to test or, perhaps, try to download it again
from VeriSign. Thawte provides free mail certs for personal use, I believe,
and you could test with one of those.
--
Brian Tillman

davesouthnj · Joined: Aug 01, 2007 Posts: 1

I had exactly the same problem, but I did manage to find a fix. I just sent a message to Verisign about this. Since it might help you, here is what I said to Versign:

I have been trying to install digital id's for several users here on our Microsoft Exchange system. All of the users are running Outlook 2003. About half of them installed with no problem. The others all had the following problems:

1. When you try to send a message with a digital id or encryption, you get the following message: “Your digital ID name cannot be found by the underlying security system.”

2. You cannot publish to the Exchange Global Address List or export your private key.

While trying to run down this problem, I came across your solution vs38439. Basically, it suggested changing access to the key container file in the folder "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys". That was not exactly the right solution, but at least it got me in the right ball park. I found that for the users having this problem, the key container file was not being installed under "All Users". Instead it was being installed in the folder "%SystemDrive%\Documents and Settings\<UserName>\Application Data\Microsoft\Crypto\RSA\" where <UserName> is the system login for the user. Once I realized this fact, I only had to fix the rights on the key container file and copy it to the folder "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" and then everything works correctly.

brianclark44 · Joined: Nov 01, 2007 Posts: 1

I had this same problem, but using Thawte's Freemail digital certificates. (Thawte is owned by Verisign). The procedure that davesouthnj suggested got me looking at this stuff, and I figured it out from there.

The problem seems to be that Thawte's certificate installer ActiveX control (and presumably Verisign's as well) puts the key container file into the "%SystemDrive%\Documents and Settings\<UserName>\Application Data\Microsoft\Crypto\RSA\" with NO permissions on it whatsoever. When I noticed that, I modified the properties of the file to include READ as well as READ & EXECUTE permissions on the file for my userid only. Then I re-launched Outlook and ran through the whole digital signing setup process again (as described in this thread), and then it worked!

Note that I don't think that davesouthnj's solution is a good one, because you do not want "all users" to have access to your digital certs. That is counter-productive to improving the security of your email.

Brian