File Share Encryption

 View Only

  • 1.  Deleted users in Encryption Server cannot be enroll again?

    Posted May 17, 2013 12:07 AM

    Hello everyone

    I have a problem that when i delete a user in the Encrytion Server 10.3, that user will never able to enroll again with the server. For more detail, i'm only use Encryption Desktop managed by an Encryption Server, no other features is enable. A user1 was enrolled successfully and i accidentally deleted user1 account. When he log on again, the enroll wizard ask him to provide his password but it return error -11286.

    I have import the user by his key to the server, the server accept the key but user1 still unable to enroll again.

    Any solution for me? Very appreciated.

     



  • 2.  RE: Deleted users in Encryption Server cannot be enroll again?

    Posted May 17, 2013 03:28 AM

    The only reference I can see to this error, suggests it may be an AD auth issue.  Can you check to see if the logs mirror those in the below article?

    http://www.symantec.com/docs/TECH174197

    On another note, this forum is for the SEE product, whereas the Encryption Server is part fo the PGP platform.  Perhaps try reposting in the below areas?

    https://www-secure.symantec.com/connect/security/forums/pgp-wde-windows
    https://www-secure.symantec.com/connect/security/forums/pgp-universal-servers-and-kms



  • 3.  RE: Deleted users in Encryption Server cannot be enroll again?

    Posted May 17, 2013 03:46 AM

    thank you SMLatCST

    But i do not think it is a AD auth issue because any other account is still able to enroll, it just happed when you delete that account on SEE server and enroll again.

    I will post this in to correct section



  • 4.  RE: Deleted users in Encryption Server cannot be enroll again?

    Posted May 18, 2013 12:18 PM

    moved this thread to the correct forum group.

    there is no issue that I'm aware that would prevent you from re-enrolling a user because they were deleted on the server. This is actually common practice that is done all the time with customers for one reason or another in troubleshooting.

    I would suggest looking at specifics for that user in AD to see if you can find what is different about that user vs the others. Mostly looking at the LDAP attributes using a utility such as Softerra Ldap Browser or ADSIedit.msc.  I would check for things such as the UPN and samAccountName existing and  being accurate as well as proxyAddress (which should have their email address), etc.

    If all those look good, maybe you are in a multi-domain foreset and that user has the same samAccountName on more than one domain in the forest?  This would require you to use the UPN value to enroll instead of the samAccountName (example: for Bob Smith bsmith@example.com vs bsmith)

    Also, check your BaseDN setttings and Bind DN account and password used in the Directory Sync settings page. I do like the other suggestion of using TECH174197 as a guide as well. it's possible this user you are trying to enroll is in a different OU than some of the other users who can enroll correctly and the baseDN is set to only look at one OU. Which could cause this error.



  • 5.  RE: Deleted users in Encryption Server cannot be enroll again?

    Posted May 18, 2013 12:24 PM

    kavinclient, I just re-read one of your responses and you said

    But i do not think it is a AD auth issue because any other account is still able to enroll, it just happed when you delete that account on SEE server and enroll again.

    But at the top you mentioned Encryption Server and Encryption Desktop.  Do you mean Symantec Encryption Management Server (powered by PGP technology) or Symantec Endpoint Encryption Mangement Server (SEE/Guardian Edge) technology?

    They are two different products. One runs on Windows with IIS (Symantec Endpoint Encryption Management Server) the other is a linux based appliance (Symantec Encryption Management Server - formerly PGP Universal Server).

    If it's the later, Symantec Encryption Management Server then my above post still applies on things to look for. But we could probably use clarification since you are using both names (SEE and Symantec Encryption Mangement Server and Symantec Encryption Desktop synonymously)



  • 6.  RE: Deleted users in Encryption Server cannot be enroll again?

    Posted May 19, 2013 01:24 PM

    Thank you, BEN

    Symantec support team alway make me suprised by their skills and respond time, so i guess you are one of the best, Cheer!!

    Sorry for the lack of info i have posted, i am using Symantec Encryption Management Server - formerly PGP Universal Server and it is running on VMware ESXi 5.0.

    I'm using only one domain so i am sure there is no other account with the same name. The LDAP attriblue, UPN and samAccountName and proxyAddress of the user is correct.

    This is what i have done:

    1.Create account (user1@mydomain.com)  -> Logon and enroll that account from client machine -> Perfect.

    The PGP Universal Server regconised that user is an internal user and place it on the list

    2.Delete user1 from PGP Universal Server (user1 still available on AD then)

    Enroll again -> Error -11286

    I have tried with 3 different accounts and get the same result.