LDAP Enrollment not Working with Multiple Base DN's Configured When Using a Multi Domain Forest


Article ID: 157314


Updated On:


Symantec Products


An error is displayed in the client logs of PGP Universal Server and the PGP Enrollment screen continues to pop-up on the client showing that you failed to authenticate correctly.


ldap operation result: 10, 0000202B: RefErr: DSID-03100742, data 0, 1 access points


This is caused by not accessing the AD server on the correct port for a multiple domain base DN search.

Using the "Browse Base DN" button in the administrative interface of PGP Universal Server allows you to view those other Base DN's, but if they are on a different domain than the LDAP/AD server that you are configured to synchronize with, it will fail to search and find the correct user in that Base DN.


Resolve this issue by changing the port used for LDAP lookups under the server entry in Consumers > Directory Synchronization to use port 3268 instead of port 389.  You can also go to the Base Distinguished Name tab and sort the Base DN you are having trouble searching in and place it to the top of the list by setting it to 1 for the order.  Click "View Sample Records" to verify that it shows the users in the correct Base DN that you are searching in.


Applies To

PGP Universal Server

Managed PGP Desktop client

Active Directory (AD) Forest with multiple domains

Multiple Base DN configurations for each domain