Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Deleted users in Encryption Server cannot be enroll again?

Created: 16 May 2013 • Updated: 18 May 2013 | 5 comments

Hello everyone

I have a problem that when i delete a user in the Encrytion Server 10.3, that user will never able to enroll again with the server. For more detail, i'm only use Encryption Desktop managed by an Encryption Server, no other features is enable. A user1 was enrolled successfully and i accidentally deleted user1 account. When he log on again, the enroll wizard ask him to provide his password but it return error -11286.

I have import the user by his key to the server, the server accept the key but user1 still unable to enroll again.

Any solution for me? Very appreciated.

Operating Systems:

Comments 5 CommentsJump to latest comment

SMLatCST's picture

The only reference I can see to this error, suggests it may be an AD auth issue.  Can you check to see if the logs mirror those in the below article?

http://www.symantec.com/docs/TECH174197

On another note, this forum is for the SEE product, whereas the Encryption Server is part fo the PGP platform.  Perhaps try reposting in the below areas?

https://www-secure.symantec.com/connect/security/forums/pgp-wde-windows
https://www-secure.symantec.com/connect/security/forums/pgp-universal-servers-and-kms

kavinclent's picture

thank you SMLatCST

But i do not think it is a AD auth issue because any other account is still able to enroll, it just happed when you delete that account on SEE server and enroll again.

I will post this in to correct section

PGP_Ben's picture

moved this thread to the correct forum group.

there is no issue that I'm aware that would prevent you from re-enrolling a user because they were deleted on the server. This is actually common practice that is done all the time with customers for one reason or another in troubleshooting.

I would suggest looking at specifics for that user in AD to see if you can find what is different about that user vs the others. Mostly looking at the LDAP attributes using a utility such as Softerra Ldap Browser or ADSIedit.msc.  I would check for things such as the UPN and samAccountName existing and  being accurate as well as proxyAddress (which should have their email address), etc.

If all those look good, maybe you are in a multi-domain foreset and that user has the same samAccountName on more than one domain in the forest?  This would require you to use the UPN value to enroll instead of the samAccountName (example: for Bob Smith bsmith@example.com vs bsmith)

Also, check your BaseDN setttings and Bind DN account and password used in the Directory Sync settings page. I do like the other suggestion of using TECH174197 as a guide as well. it's possible this user you are trying to enroll is in a different OU than some of the other users who can enroll correctly and the baseDN is set to only look at one OU. Which could cause this error.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

PGP_Ben's picture

kavinclient, I just re-read one of your responses and you said

But i do not think it is a AD auth issue because any other account is still able to enroll, it just happed when you delete that account on SEE server and enroll again.

But at the top you mentioned Encryption Server and Encryption Desktop.  Do you mean Symantec Encryption Management Server (powered by PGP technology) or Symantec Endpoint Encryption Mangement Server (SEE/Guardian Edge) technology?

They are two different products. One runs on Windows with IIS (Symantec Endpoint Encryption Management Server) the other is a linux based appliance (Symantec Encryption Management Server - formerly PGP Universal Server).

If it's the later, Symantec Encryption Management Server then my above post still applies on things to look for. But we could probably use clarification since you are using both names (SEE and Symantec Encryption Mangement Server and Symantec Encryption Desktop synonymously)

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

kavinclent's picture

Thank you, BEN

Symantec support team alway make me suprised by their skills and respond time, so i guess you are one of the best, Cheer!!

Sorry for the lack of info i have posted, i am using Symantec Encryption Management Server - formerly PGP Universal Server and it is running on VMware ESXi 5.0.

I'm using only one domain so i am sure there is no other account with the same name. The LDAP attriblue, UPN and samAccountName and proxyAddress of the user is correct.

This is what i have done:

1.Create account (user1@mydomain.com)  -> Logon and enroll that account from client machine -> Perfect.

The PGP Universal Server regconised that user is an internal user and place it on the list

2.Delete user1 from PGP Universal Server (user1 still available on AD then)

Enroll again -> Error -11286

I have tried with 3 different accounts and get the same result.