Unable to enroll/authenticate PGP Desktop clients when using Microsoft Active Directory Domain's Logon Restrictions with a User

book

Article ID: 156468

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

When restricting Microsoft Active Directory (AD) domain users to specific computers using the Logon Restriction setting per user account, PGP Desktop clients are unable to enroll/authenticate.

The PGP Desktop client will fail with, "Your credentials were not accepted. Please try again."

The PGP Universal Server will show, "CLIENT-XXXXX: ldap operation result 49, Invalid credentials"

The error is misleading, since it's not a bad password problem for the user account.

Cause

Since the LDAP query is being issued from PGP Universal Server and not the from the client's (permitted) computer, the AD LDAP server rejects the connection.

Resolution

Switch to Email Enrollment or use a secondary LDAP server specifically for PGP client authentication.