No announcement yet.

Is there a reason to "Publish to GAL" ?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Is there a reason to "Publish to GAL" ?

    Since there is no need to have certificates that are authenticated all the way up the line to Thawte or Verisign, I'm running my own internal CA for an accounting firm. (The few customers who need to trust the root CA (issued by me) can install the Root CA certificate.)

    I have logged on and issued a user certificate to each user on our Citrix server (I wanted log them all on individually anyway for otehr reasons).

    I installed each certificate for each user, then did 2 exports - 1 with the private key and 1 without, just for the fun of it and so I can have copies immediately available. I started and configured Outlook for each user, and under the Security tab clicked on Settings (which for each user automatically configured the right settings) and then OK.

    Everything is perfect so far. No problems or errors.

    Here comes the question - down at the bottom of the Security tab there is a button to "Publish to GAL . . ."

    From what I have read, this is supposed to publish certificates to the Active Directory so as to be "available" from the server. It is supposed to Publish to 2 locations in the Active Directory. But according to Microsoft, there can be potential problems if you have differing certificates in the 2 AD locations.

    Exactly what good does it do to "Publish" certificates to AD? Is there a compelling reason to do so, or not to do so?

    After trying to Publish my own certificate to the GAL, I see no change at all in the Active Directory listing for me, or any change in the Global Address List either. What am I supposed to see?

    Does each certificate for each user need to be installed or available on the server for OWA? (I don't think so, but just asking)

    Other than manually going to each local user workstation and importing the certificate for that user, then configuring Outlook Security Settings, is there an easy way to deploy and install their certificates to their desktops?

  • #2
    Unable to publish to GAL - answering my own questions

    Maybe I just like the sound of my own keyboard, but since I found something I didn't know before I thought I would post it.

    It wasn't easy to find, even in a google search, but there IS a solution to the problem of users being unable to publish their security certificates to the GAL in Exchange.

    Here's the poop. It's a rights issue. You can do it when logged on as an Admin, but not as a rank-and-file user. But rather than promote each user to be an Admin, you can give the user the rights to do so.

    Here's the rub - you have to do it one user at a time in the Active Directory. You can't just grant the right to a group (as far as I can tell).


    First thing to do is log on to the server as an Admin, then open Active Directory. Next click on View and put a check next to Advanced Features (if there isn't one already).

    Now that you have Advanced Features turned on, the Properties page for each user has a Security Tab showing. Click on it and slide all the way down in the upper window till you see SELF - highlight it. In the lower window scroll all the way down till you see WRITE PERSONAL INFORMATION - put a check mark in the Allow box next to it.

    Now your user can export his certificate to the GAL without the error.


    I found out there IS indeed a good reason to Publish to the GAL. It makes it so (in OWA) you can receive mail encrypted to you and sign outgoing mail. Of course you need the OTHER guys Public Key in order to encrypt outgoing mail to him or verify a signature on a message from him to you.


    There IS a change in Active Directory when you publish a certificate, but you don't see the change (or the Published certificates tab) unless you have the Advanced features enabled as described above.


    There IS a way to add certificates to the Published Certificates store within Active Directory - just by clicking on the Add From File button at the bottom of the tab, but since you can add the certificates to IE on the users workstation, to Outlook, and publish to the GAL - all from within the Outlook Options - why bother?


    Hope this helps if you've been having this problem.


    • #3
      Re: Is there a reason to "Publish to GAL" ?

      As you said yourself, publishing digital certs to the AD is done automatically and is useful for various scenarios like using smart cards and encrypting email with S/MIME.

      Daniel Petri
      Microsoft Most Valuable Professional - Active Directory Directory Services