U.S. Department of Health and Human Services

The Office of the Chief Information Officer

Solving Outlook Encryption Problems

Sending Encrypted Email

If you are having problems sending encrypted email through Outlook and encountered an Encryption Problems pop-up error message (image below) please take the following steps to diagnose the problem.

Outlook Encryption Problems pop-up error message

Examine the name/email address in the To... field of the Outlook message box.
If you see a plus symbol [+] in front of the name, you are sending to a Distribution List (DL). See instructions below for how to send encrypted email to a DL.
Double click on the recipient's name/email address in the To... field.
When the recipient information pop-up appears, click on open contact or Add to Contacts.
If you do not see the pop-up or contact options, your recipient does not have a digital certificate.
When the Contact information window appears, click on Certificates.
Your recipient's certificates are listed in the Certificates (Digital IDs) field.

If the Certificates (Digital IDs) field shows a single certificate, the problem could be a result of outdated contact information or old certificates in your auto-complete cache both described below.

If the Certificates (Digital IDs) field lists multiple certificate, the problem could be caused by the two issues noted above (outdated contact information or auto-complete cache) or it could be due to having multiple certificates published in the Global Access List (GAL), as described below.

If the Certificates (Digital IDs) field is empty (blank) then your receipent either has no certificates or has not shared them with you (see instructions for sharing digital certificates).

You can still send encrypted email to someone who does not have digital certificates by using the Secure Email/File Transfer Service.

Sending encrypted Email to a distribution list

NIH users cannot receive encrypted email through global email Distribution Lists (DL). Encryption requires that both parties, sender and receiver, have valid digital certificates. DLs do not receive encrypted email because they do not have digital certificates.

To send encrypted email to each recipients' individual mailbox:

In the To... field of the Outlook message box, click on the [+] plus symbol in front of the DL name.
When the Expand List pop-up message appears, click OK.
Now click Send to send the message.

How to update your local contacts list

If you are sending an encrypted email to someone who recently replaced their PIV card (HHS ID Badge) or renewed their certificates, your contact information for them is probably out-of date.

To update your contact information, from the Outlook Home Window:

Click on Address Book
Search for the recipient in the Global Address List (not in contacts).
Double click on the recipient's name.
When the information window appears, click Add to Contacts.
Click on Certificates to view the recipient's certificates.
If more than one certificate is listed in the Certificates (Digital IDs) field, select and Remove the certificates not labeled (Default).
Click Save & Close. If the Duplicate Contact Detected pop-up appears, click Update.

If you are sending encrypted email to someone who is not in the GAL (i.e., is outside of NIH), have them send you a digitally signed email and then update your contacts list by double clicking their name in their email's From: field. See sharing digital certificates for more information.

Clear the Outlook Auto-Complete Cache

If you type the recipient's name/email address directly in the To... field, Outlook's auto-complete feature may have saved (cached) outdated certificate information for that individual. Please refer to the NIH IT Knowledge Base articles for instructions on how to clear the auto-complete cache.

Sending encrypted Email to someone with multiple certificates in the GAL

If you are sending encrypted email to someone who has multiple certificates listed in the GAL, Outlook may be selecting the wrong certificate (i.e., a certificate other than the default certificate). The easiest way to solve this problem is to add that individual to your local contacts list by following the instructions provided above. Please be sure to delete all but the default certificate before you save the entry to your contacts.

You should also ask the recipient to fix the problem with their GAL entry.

Reading Encrypted Email

If you are trying to read an encrypted email and you see the following Microsoft Outlook pop-up error message:

Digital ID not found pop-up error message

The most likely reason is that the email was encrypted with an older certificate for which you no longer have the corresponding private key. Please refer to the NIH IT Knowledge Base article for instructions on how to recover prior encryption certificate keys.

This error also occurs when the email was sent to you as part of a group email (i.e., multiple recipients) and the sender did not have a valid certificate for you (see problems with sending encrypted email above). If this is the case, the only solution is to follow the steps below to fix the problem and then ask the sender to resend the email to you.

A person may not be able to send you an encrypted email if:

You were just issued your first PIV card (HHS ID Badge) and you did not configure your applications to use the certificates on your badge.
You just renewed your PIV card or certificates and you did not re-configure your applications to use your new certificates.
You have multiple certificates published to the GAL (See instructions below for removing them). To examine your GAL entry, follow steps 1 - 5 above to add yourself to your contacts list, but do not save the entry.

Clearing multiple certificates in the GAL

To remove multiple certificate entries in the GAL:

Remove your PIV card (HHS ID Badge) from the smart card reader.
Bring up Outlook's Change Security Settings window by following steps 1 - 4 of the How to Configure Microsoft Outlook to use certificates NIH IT Knowledge Base article.
In the Change Security Settings window click on the Delete button. If necessary, repeat until the Security Settings Name: field is empty.
Click OK to close the Change Security Settings window.
In the Trust Center window click Publish to GAL....
When the There are no valid security settings to publish. Would you like to remove your previously published settings? message appears, click Yes.
Then click OK until you return to the main Outlook window.
Re-insert your PIV card into the smart card reader.
Now follow all the steps in the NIH IT Knowledge Base article on How to Configure Microsoft Outlook to use certificates to publish your most current encryption certificate to the GAL.

Information and Assistance

For additional information, search the NIH IT Knowledge Base for tutorials, instruction sheets and user guides or refer to the appropriate How-To Guide.

For questions or user support, please contact the NIH IT Service Desk.