Troubleshooter: Addressing an Exchange 5.5 KMS Error

We want to use Exchange Server 5.5 Key Management Server (KMS) in a mixed Exchange 2000 Server/Exchange 5.5 environment. However, Outlook users who click the Get a Digital ID button never see the dialog box to enroll in Exchange security, even after the KMS administrator has enrolled them. What's causing the problem?

This problem isn't uncommon. An attribute in the Exchange 5.5 site directory specifies the distinguished name (DN) of the KMS for that site. When you install the first Exchange 2000 server, the installer populates the kMServer attribute in Active Directory (AD) with the contents of the Exchange 5.5 value. Although this value should be the correct KMS name, the installer sometimes places the wrong value in the kMServer attribute. Because Outlook 2000 and later query for the presence of a KMS to determine whether they should offer the user the chance to enroll in Exchange security, if the kMServer attribute is wrong, the user is sent straight to the third-party Certificate Authority (CA) enrollment page. To correct this problem, use ADSI Edit to change the kMServer attribute's value, which you can find in AD under CN=Encryption, CN=Advanced Security, CN=YourAdministrativeGroup, CN=Administrative Groups, CN=YourOrganization, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=YourDomain, DC=com. For more details, see the Microsoft article "XADM: You Cannot Enroll In Exchange Server Security When You Click 'Get a Digital ID' in Outlook" (

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.