Troubleshooting: PGP Encryption Desktop Client Enrollment (Symantec Encryption Desktop)
search cancel

Troubleshooting: PGP Encryption Desktop Client Enrollment (Symantec Encryption Desktop)

book

Article ID: 153425

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Gateway Email Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP SDK

Issue/Introduction

When attempting to enroll a PGP Encryption Desktop (Symantec Encryption Desktop) client with a PGP Encryption Server (Symantec Encryption Management Server) the Enrollment Assistant fails or does not continue.

This article provides some areas to troubleshoot client enrollment with a PGP Encryption Server.

Resolution

General Troubleshooting

Symantec Encryption Management Server Logs

Client logs display messages about connections made from PGP Encryption Desktop clients. For example, Symantec Drive Encryption (previously PGP Whole Disk Encryption) event notices include device detection, disk encryption or decryption, device status changes, errors during events, and WDRT use or creation.

To troubleshoot client enrollment, search the PGP Encryption Server logs for the email address, username, or IP address of the user unable to enroll with the server.

To view the client logs:

  1. Access the PGP Encryption Server administrative interface.
  2. Click the Reporting card and select the logs tab.
  3. In the Systems Logs, click the drop down arrow and select Client. The client logs are displayed.
     

Invalid Credentials

When receiving an error regarding Invalid credentials, it generally due to the user account with an incorrect password. Check the user account password in Active Directory and the password of the Bind DN user specified on the PGP Encryption Server.

You can verify your Directory Synchronization by testing the connection to your LDAP server. For an article on testing LDAP connections, click here.

User not found in directory

If the user is rejected due to not being found in the directory, check the following areas:

  1. Confirm the Base DN in the Directory Synchronization settings is correct.
  2. Confirm the username and passphrase for the Bind DN and re-enter if necessary. Click Test Connection to confirm your configuration is correct.

    Note: Directory Synchronization is configured selecting the Internal User Policy tab on the Policy card in the PGP Encryption Server administrative interface.
     
  3. Confirm your LDAP server is configured correctly for LDAP referrals. If LDAP Referrals are enabled for Directory Synchronization, but your LDAP server does not support LDAP referrals or is not being used, enrollment may fail. See the following article for more information.
  4. Check Global Directory settings. Currently Symantec Encryption Management Server supports the usage of Global Directory on a single domain only.

When LDAP Directory Synchronization fails, client enrollment may fail with an error message regarding failure to import a license number. Click here for additional information when your receive the error Failed to import License Number, error -11933.

If you are not using Global Directory, check the following settings on the Symantec Encryption Management Server:

  1. Managed Domain - confirm the email domain matches the Managed Domain on the PGP Encryption Server.
  2. Mail Queue - Check if messages are stuck in the Mail Queue. See the following article for more information.
  3. Mail Route configuration. Click here for an article on Managing Mail Routes.
     

Connection Issues

If enrollment of the PGP Encryption Desktop client fails immediately, examine the following areas:

  1. Check for any proxy server or firewall settings which may cause connection issues. Click here for additional information.
  2. Confirm the PGPSTAMP for Symantec Encryption Desktop in the Windows Registry is correct. See the PGP Encryption Desktop Registry Entries section in the following article.
  3. Check network connectivity to the PGP Encryption Server.
  • Check network DNS (forward and reverse lookups) settings.
  • Try to connect to the server via Telnet over port 443.
  • Use the PING utility to confirm you can contact the PGP Encryption Sever.

If connectivity issues persist, try restarting the PGP Encryption Server.

Email Enrollment

Missing registry entries, third-party software, and other conflicts may cause the Next button to remain grayed out. Thereby not allowing you to continue enrollment. See the following articles for additional troubleshooting :

Lotus Notes: Enrollment Fails if the Enrollment Message is Relayed Through an Exchange Connector.

PGP Email Proxy Fails or Next Button Grayed out during Enrollment.

PGP Enrollment Assistant Next button remains grayed out after receiving enrollment messenger.

User Certificates

Some environments require the use of User and Machine certificates for authentication and some IT Helpdesk Personnel will have multiple certificates generated for them automatically for each system they log in to.

This can cause timeouts when the PGP Encryption Server is querying the Domain Controller to pull the Users Profile.

To resolve this issue do one of the following:

  1. Delete any unnecessary certificates from the users directory profile.
  2. Contact Technical Support if certificate enrollment and/or SMIME encryption is not being used and have the certificates ignored by the PGP Encryption Server using LDAP customizations.

 

Email Enrollment Errors

if you are attempting to enroll with the "Email Enrollment" method, this means you enter an email address during the enrollment process, and then an enrollment email is sent to you.
Once this email arrives, this "authenticates" you to the PGP Encryption Server.  After receiving the enrollment email, the following error appears:

"Configuration server has rejected your email address"

If the above error message appears, check the Directory Synchronization settings and ensure the proper configuration has been entered.

If Directory Synchronization is enabled, you will need to have a "Bind DN" as well as the credentials for this account in order for the enrollment to work.
If no settings are configured, the enrollment will not be able to validate the account you are trying to enroll.  
Once these Directory Synchronization settings have been entered, retry the enrollment process.

Additional Information

171746 - PGP Administrator Password Complexity Enforcement via AD Admins (Directory Authentication) for PGP Encryption Server

153670 - PGP Encryption Server Administrator Roles (Symantec Encryption Management Server)

180239 - HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

180156 - Obtain the Base DN or Bind DN Attributes for LDAP Directory Synchronization for PGP Encryption Server

153668 - Enroll PGP Encryption Desktop clients using Directory Authentication with PGP Encryption Server (Symantec Encryption Management Server)

153425 - Troubleshooting: PGP Encryption Desktop Client Enrollment (Symantec Encryption Desktop)

171744 - PGP Administrator Password Complexity Enforcement via Passphrase Authentication (Manual Password Assignment)

216163 - Reset Password for Administrators on Symantec Encryption Management Server (PGP Server)

 

197991 - PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS (Symantec Encryption Management Server)