XADM: Client Cannot Enroll in Exchange Server 5.0 Key Management Server (198709)
The information in this article applies to:
- Microsoft Exchange Server 5.0
This article was previously published under Q198709 SYMPTOMS
The user cannot enroll in Exchange Server 5.0 Key Management Server (KMS) after security is revoked.
If a user is enabled to participate in advanced security, and does not enroll on the client side before the administrator revokes that user, the user will never be able to enroll. The user will be unable to enroll in advanced security, even after the administrator recovers the keys.
CAUSE
The problem is that the .ini file that contains the user's keys is missing the NumSCerts component and gets marked as being in the "Recovery" state, when in fact the record should be in the "New" state.
WORKAROUND
On the KMS, the security database is a collection of .ini files. The files are located in the Security\Mgrent\Clients folder and look like Mxclfr4zqvktn.ini. To find the correct .ini file for the mailbox, use Global Regular Expression Print (GREP, a POSIX-based tool included in the Windows NT Resource Kit) or a utility similar to it. The file needs to have the "State = 4" changed to "State = 1". This will set the record back to the "Undefined" state. The user's mailbox will then be able to "Enable," and the user should be allowed to fully enroll in the KMS.
Upgrading to Exchange 5.5
The software that upgrades the KMS database is able to handle this issue. Once the upgrade has taken place, recover the mailbox, and the user will be able to fully enroll.
| Modification Type: | Minor | Last Reviewed: | 4/21/2005 |
|---|
| Keywords: | kbnofix kbprb KB198709 |
|---|
|