Unable to Enroll PGP Desktop Client when Directory Synchronization Enabled

Article:TECH200059  |  Created: 2012-11-23  |  Updated: 2013-01-02  |  Article URL http://www.symantec.com/docs/TECH200059
Article Type
Technical Solution


Although most PGP Desktop users are able to successfully enroll, one PGP Desktop user fails to enroll.  Upon entering the user's Active Directory username and password, the PGP Enrollment Assistant continually prompts for the user's credentials.



PGP Universal Server managed environment with Directory Synchronization configured with Active Directory.



This may be caused by the user is entering invalid Active Directory credentials.



Check the user's Active Directory credentials by using the ldapsearch command on PGP Universal Server:

ldapsearch -h winad.domain.dom -b DC=domain,DC=dom -D CN=bindname,CN=Users,DC=domain,DC=dom -W -x -LLL "(sAMAccountName=username)"

In the example above:

  • winad.domain.dom is the name of the server running Active Directory as specified in Consumers / Directory Synchronization / LDAP Servers on Universal Server.
  • DC=domain,DC=dom is the Base Distinguished Name as specified in Consumers / Directory Synchronization / Base Distinguished Names on Universal Server.
  • CN=bindname,CN=Users,DC=domain,DC=dom is the Bind DN as specified in Consumers / Directory Synchronization / LDAP Credentials / Bind DN on Universal Server.
  • username is the Active Directory user name of the user who cannot authenticate.

You will be prompted for the password of the Bind DN user account as specified in Consumers / Directory Synchronization / LDAP Credentials / Passphrase on PGP Universal Server.

If records are returned for the user, it proves that PGP Universal Server can communicate with the Active Directory server and retrieve the details of the user who is trying to enroll.

Article URL http://www.symantec.com/docs/TECH200059

Terms of use for this information are found in Legal Notices