Hello all,

The summary could be: Outlook 2013 fails randomly to find recipient at GAL when connected via Exchange Anywhere from different forest. 

Details:

Computers joined to Forest A consume Exchange Anywhere from Exchange servers through Internet where the Exchange Servers are joined to Forest B. No trust relationship between forest. 

When sending encrypted emails, arround 70% of times, Outlook is able to send the email getting the public key of recipient from the GAL, but arround 30% the mail cannot be sent with error, event before or later (restarting Outlook) is able to send to this recipient.

"Microsoft Outlook had problems encrypting this message because the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities"

After some troubleshooting with Process Monitor I noticed that at the moment of send the encrypted mail outlooks waits few seconds and on background an few LDAP connection are stablished to Forest A domain controller. 

I reproduced on a third computer joined to Forest C that LDAP connections are also established to the DC of Forest C but there it worked all my test and connection is also done through Internet with Exchange Anywhere.

Does anyone experienced this problem? 

Can I avoid those LDAP  to DCs connections anyhow?

After deeper research Ive using ProcMon and an sniffer I found that actually the LDAP connections are checks of CRL of the encryption certificates that currently only are published on LDAP.

The following articles helped to understand

• Certificate Revocation List (CRL) Verification - an Application Choice ->  http://social.technet.microsoft.com/wiki/contents/articles/964.certificate-revocation-list-crl-verification-an-application-choice.aspx
• Set consistent Outlook 2007 cryptography options for an organization -> https://technet.microsoft.com/en-us/library/cc179034%28v=office.12%29.aspx

But actually for my scenario (Outlook 2013) the proper key registry was found here - http://www.stigviewer.com/stig/microsoft_outlook_2013/2014-01-06/finding/V-17778

HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security
Criteria: If the value UseCRLChasing is REG_DWORD = 0 CRL is not checked

Of course ignore CRL is a security flaw, just need to implement and online responder and update the certs with proper CRL.

Hi,

According to your description, I understand that send message always failed with error Microsoft Outlook had problems encrypting this message because the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities.
If I misunderstand your concern, please do not hesitate to let me know.

This error may be caused by Outlook client cannot connect to AD to get certificate and encrypt message, for your reference:
https://social.technet.microsoft.com/Forums/en-US/05a68d64-d941-4b8c-af0c-19f9aeed9dec/exchange-2007-encryption-outlook-anywhere-users?forum=exchangesvrsecuremessaginglegacy

Thus, if you want to send a encrypted mail, please update the Default Address book after a new user apply a certicate.
Orginazation configuration-->Mailbox-->Offline address book-->Default address book--> right click-->update
After that ,you can run the cmdlet Update-FileDistributionService -Identity servername -Type "OAB" to copy the OAB from the Mailbox server to CAS server. Please check whether there is a event id 1008 in Applicate event.

Thanks