SYMPTOMS
After configuring an SSL certificate to use, mail clients are not able to access mail services over SSL, and the port configured for SSL accepts non-SSL connections.
CAUSE
When MailEnable is installed to various mail service accounts are changed to run under the IME_SYSTEM identity. As such, the IME_SYSTEM account requires access to the Windows Certificate Repository in order to allow SSL to function.
RESOLUTION
Instructions for granting the IME_SYSTEM user access to the relevant certificate follow:
For Windows 2008 or later servers:
1. Use the regedit utility to ensure IME_SYSTEM
is granted full access to the following
branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
2. From the Start menu or a command prompt, type mmc.exe. In the management console that appears, select the File->Add/Remove Snap-in menu and add the Certificates snap-in for the Local Computer account.
3. Expand the Personal->Certificates branch to list your certificates. Right click the certificate you are going to use and select All Tasks->Manage Private Keys.
4. Give the IME_SYSTEM Windows user full control permissions on the certificate.
For Windows 2000 and Windows 2003 servers:
1. Use the RegEdt32 utility to ensure IME_SYSTEM is
granted full access to the following
branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
2. Download the following utility from the Microsoft Web Site:
3. From the Windows command prompt and navigate to the location of the installed utility.This is usually C:\Program Files\Windows Resource Kits\Tools
4. List the accounts that have access to the private key using the following command:
winhttpcertcfg -l -c LOCAL_MACHINE\My -s {certificate_name}
Example (assuming certificate named MailEnable):
winhttpcertcfg -l -c LOCAL_MACHINE\My -s MailEnable
5. To grant access to the IME_SYSTEM account, run the following command:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s {certificate_name} -a IME_SYSTEM
Example (assuming certificate named MailEnable):
winhttpcertcfg -g -c LOCAL_MACHINE\My -s MailEnable -a IME_SYSTEM
Product: | MailEnable (Pro-Any Ent-Any) |
Category: | Configuration |
Article: | ME020479 |
Module: | General |
Keywords: | ssl,lockdown,lock,down,utility,clients,access,secure,sockets,layer,IME_SYSTEM |
Class: | PRB: Product Problem or Issue |
Revised: | Wednesday, May 4, 2016 |
Author: | MailEnable |
Publisher: | MailEnable |