When attempting to enroll a Symantec Encryption Desktop (previously PGP Desktop) client with a Symantec Encryption Management Server (previously PGP Universal Server) the Enrollment Assistant fails or does not continue. This article provides some areas to troubleshoot client enrollment with a Symantec Encryption Management Server.
Symantec Encryption Management Server Logs
Client logs display messages about connections made from Symantec Encryption Desktop clients. For example, Symantec Drive Encryption (previously PGP Whole Disk Encryption) event notices include device detection, disk encryption or decryption, device status changes, errors during events, and WDRT use or creation.
To troubleshoot client enrollment, search the Symantec Encryption Management Server logs for the email address, username, or IP address of the user unable to enroll with the server.
To view the client logs:
When receiving an error regarding Invalid credentials, it generally due to the user account with an incorrect password. Check the user account password in Active Directory and the password of the Bind DN user specified on the Symantec Encryption Management Server.
You can verify your Directory Synchronization by testing the connection to your LDAP server. For an article on testing LDAP connections, click here.
User not found in directory
If the user is rejected due to not being found in the directory, check the following areas:
When LDAP Directory Synchronization fails, client enrollment may fail with an error message regarding failure to import a license number. Click here for additional information when your receive the error Failed to import License Number, error -11933.
If you are not using Global Directory, check the following settings on the Symantec Encryption Management Server:
If enrollment of the Symantec Encryption Desktop client fails immediately, examine the following areas:
If connectivity issues persist, try restarting the Symantec Encryption Management Server.
Missing registry entries, third-party software, and other conflicts may cause the Next button to remain grayed out. Thereby not allowing you to continue enrollment. See the following articles for additional troubleshooting :
Lotus Notes: Enrollment Fails if the Enrollment Message is Relayed Through an Exchange Connector.
PGP Email Proxy Fails or Next Button Grayed out during Enrollment.
PGP Enrollment Assistant Next button remains grayed out after receiving enrollment messenger.
Some environments require the use of User and Machine certificates for authentication and some IT Helpdesk Personnel will have multiple certificates generated for them automatically for each system they log in to.
This can cause timeouts when the Symantec Encryption Management Server is querying the Domain Controller to pull the Users Profile.
To resolve this issue do one of the following:
Email Enrollment Errors
if you are attempting to enroll with the "Email Enrollment" method, this means you enter an email address during the enrollment process, and then an enrollment email is sent to you.
Once this email arrives, this "authenticates" you to the Symantec Encryption Management Server (PGP Server). After receiving the enrollment email, the following error appears:
"Configuration server has rejected your email address"
If the above error message appears, check the Directory Synchronization settings and ensure the proper configuration has been entered.
If Directory Synchronization is enabled, you will need to have a "Bind DN" as well as the credentials for this account in order for the enrollment to work.
If no settings are configured, the enrollment will not be able to validate the account you are trying to enroll.
Once these Directory Synchronization settings have been entered, retry the enrollment process.