In an environment with Symantec Encryption Management Server (previously PGP Universal) and directory synchronization enabled users might not be able to generate their CKM mode PGP keys from x.509 certificates on a smartcard. This problem occurs when the same certificates are published in LDAP attribute userCertificate:binary.
The Symantec Encryption Desktop enrollment wizard will complain that the no key matches the key management mode.
The cause is a collision of the certificates imported at the client and the ones that are being imported through the directory synchronization method.
Symantec Corporation is committed to product quality and satisfied customers. This issue is currently being considered by Symantec Corporation to be addressed in a forthcoming version or Maintenance Pack of the product. Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.
When the sync of certificates from LDAP is disabled the issue goes away.
In /etc/ovid/prefs.xml add the following to the <key-generation> section
Symantec Encryption Management Server with directory-synchronization + LDAP/Active Directory with userCertificate:binary populated + x509 certificates on smartcard