search cancel

How to use userPrincipalName (UPN) instead of sAMAccountName as a valid attribute for enrollment


Article ID: 157315


Updated On:


Symantec Products


PGP Universal Server introduced a feature beginning with version 3.0.x to enable an PGP Desktop user to enroll using userPrincipalName OR sAMAccountName in the username field.

This is useful when you have a user (e.g. Administrator) which is common among multiple domains in an Microsoft Active Directory (AD) Forest.

failed authentication for internal PGP Desktop (client version) user (username) from [IP address]


The sAMAccountName is not required to be unique in an Microsoft multi-domain AD Forest configuration. However, this can cause problems with PGP Universal Server and not allow the user to enroll because the software gets confused which user you are enrolling as and you will receive an authentication failure notification when trying to enroll.



  • Make sure that Directory Synchronization is enabled under Consumers > Directory Synchronization.  If not, click the Enable button
  • Click the Settings button on this screen and make sure that Enroll clients using directory authentication is checked and click Save.
  • Make sure that your Base Distinguished Names tab (under the server entry in Directory Synchronization page) has the correct Base DN configured to search for the user that is having problems enrolling (e.g. CN=Users,DC=corp,DC=example,DC=com). This would be valid for users in the CORP domain under the EXAMPLE.COM forest.  Click Save when changing the Base DN settings.


When enrolling the PGP Desktop clients:

1. Launch PGP Tray from Start > All Programs > Startup > PGP Tray.

2. When prompted for authentication, instead of putting in the sAMAccountName value (e.g. Administrator) use the UPN (e.g. [email protected]). You can find the UPN using an LDAP browser such as Softerra LDAP browser or else using the ADSI Edit utility from Microsoft.

3. Enter the correct password for that user. This will allow you to enroll successfully.

Alternatively, to have users continue to use the sAMAccountName attribute when enrolling (e.g. TUser for Test User). They only need to supply this information in the username field (TUser) and the users password.


Applies To

PGP Universal Server

PGP Desktop managed client

Microsoft Active Directory Forest with multiple domains