The Case of the Disappearing ‘Publish To GAL’ Button
While planning a rebranding effort for a client as part of a massive divestiture, we looked at how the end-user S/MIME certs would get handled once their workstations were migrated to a new forest/domain. Outlook has a nice feature built-in to publish existing certificates to the GAL. This makes it easy for users to send encrypted messages to coworkers without having to first send a digitally signed message back and forth. This is quite important to this particular client due to trade secrets and regulatory compliance.
To see the button, open Outlook, go to the Backstage, then Options>Trust Center>Trust Center Settings>E-mail Security. You can see the Publish to GAL button:
The button is visible regardless of whether the user actually has a certificate installed.
However, some users were not seeing the button, as seen below:
It turns out that in Outlook 2010, if a user has multiple MAPI accounts configured in the same Outlook profile, the button erroneously disappears. Multiple MAPI accounts is a key feature in Outlook 2010, and is real handy for people who want access to different accounts, say for administrative use, or for work and private email accounts. Outlook even supports having dedicated S/MIME certificates for each account.
I reported the issue to Microsoft, and a bug report has been created. Hopefully, this will be resolved with a hotfix soon. This isn’t the only issue I’ve found with multiple email accounts in Outlook 2010. The archiving feature takes messages from ALL of the accounts, and puts them in the SAME archive .pst file. Not good.
I’ve run into an issue with multiple exchange accounts; you can’t edit distribution group membership.
Did you recieve at bug reference that we can refer to when we contact Microsoft?
Not according to my notes. I reported it internally.
Same problem here. Thanks for pointing out the issue. We are slowing rolliing out PKI to the users and I’ve noticed an uptick in missing “publish to GAL” buttons. I’ve read it can be due to corrupt certificates but it was proven to not be the case here. And from your comment, it appears it would never be the case, because the button is still present for users without certificates.
I guess the work around for now is to remove the other mail accounts, publish to GAL, then add the secondary mail accounts back to their profile.
We are getting this in our org. too, when people add functional mailboxes to their profile. Is there a work-around – to publish the certificate?
Hi, we are also facing same problem. As a work-around you can create new profile just with that one account for which you want to publish certificate, start outlook with that newly created profile, publish to gal, remove this profile and start with former profile again. Hope MS will release hotfix soon…
Thanks for the suggestion!
My oh my, thank you for this post; I’ll keep the remaining half of my hair…
Note to anyone else looking at this old thread, MS is obviously too busy to care, Outlook 2013 64 bit and 32 bit (v15.0.4481.1508) versions STILL have this and other issues with multiple MAPI accounts in a single profile.
Thank you, this still isnt fixed and your work around is the solution
Jan 2014 – and this is still an issue.
Outlook 2010 – File, Account Settings, Account Settings, E-mail tab – Remove any extra mailfiles except the users. Publish to GAL button will now come up.
But that’s not a workable solution. Each account will have a separate email file, as well as another file for any archives. You can’t just arbitrarily remove those file.
Any update on this? Is this fixed in 2013? Is there a hotfix for 2010?
I think I got a manual workaround, these steps worked for me:
1. Navigate to the properties of the users Active-Directory-Object
2. Tab *Published certificates*: Import the certificate (You might need to export it in the correct file format prior to that)
3. Tab *Attribute Editor*: Copy the value from “userCertificate” to “userSMIMEcertificate”
4. Run these two commands in the exchange management shell:
– Update-GlobalAddressList -Identity “”
– Update-OfflineAddressBook -Identity “”
(You can get the identities via Get-GlobalAddressList / Get-OfflineAddressBook)
After telling my Outlook to update it’s offline adress book, I was able to send the user an S/MIME-encrypted mail.
(I hope I got the translations right, I’m using a German OS)
@Karl
Should this process cause the encryption and singing certificates to be visible from the Exchange 2013 OWA s/mime control? Doesn’t seem to work for me.
we’re in 2017 now, and it’s still an issue.
In 2018 still same issue…
In 2019 and Outlook 2016 still the same 🙁
It is September 2019, using Outlook 365, still having issue with “publish to GAL” button not showing, even with single mail account…
2023 – Outlook 2016 and O365 2302 – still the same f***** problem…
YEP, STILL THE SAME ISSUE, BUT WHY? ARE THE FOLKS BEHIND ALL OF THIS SMART ENOUGH TO FIGURE OUT WHAT CAUSES THAT OPTION TO BE REMOVED. IS IT NOT IN SOME ‘IF/THEN’ LINE OF CODE?!?
REDICULOUIS