SYMPTOMS

After configuring an SSL certificate to use, mail clients are not able to access mail services over SSL, and the port configured for SSL accepts non-SSL connections.

CAUSE

RESOLUTION

Instructions for granting the IME_SYSTEM user access to the relevant certificate follow:

For Windows 2008 or later servers:

1. Use the regedit utility to ensure IME_SYSTEM is granted full access to the following branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

2. From the Start menu or a command prompt, type mmc.exe. In the management console that appears, select the File->Add/Remove Snap-in menu and add the Certificates snap-in for the Local Computer account.

3. Expand the Personal->Certificates branch to list your certificates. Right click the certificate you are going to use and select All Tasks->Manage Private Keys.

4. Give the IME_SYSTEM Windows user full control permissions on the certificate.

For Windows 2000 and Windows 2003 servers:

1. Use the RegEdt32 utility to ensure IME_SYSTEM is granted full access to the following branch:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

2. Download the following utility from the Microsoft Web Site:

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en

3. From the Windows command prompt and navigate to the location of the installed utility.This is usually C:\Program Files\Windows Resource Kits\Tools

4. List the accounts that have access to the private key using the following command:

winhttpcertcfg -l -c LOCAL_MACHINE\My -s {certificate_name}

Example (assuming certificate named MailEnable):

winhttpcertcfg -l -c LOCAL_MACHINE\My -s MailEnable

5. To grant access to the IME_SYSTEM account, run the following command:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s {certificate_name} -a IME_SYSTEM

Example (assuming certificate named MailEnable):

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MailEnable -a IME_SYSTEM