PGP Universal Server introduced a feature beginning with version 3.0.x to enable an PGP Desktop user to enroll using userPrincipalName OR sAMAccountName in the username field.
This is useful when you have a user (e.g. Administrator) which is common among multiple domains in an Microsoft Active Directory (AD) Forest.
failed authentication for internal PGP Desktop (client version) user (username) from [IP address]
The sAMAccountName is not required to be unique in an Microsoft multi-domain AD Forest configuration. However, this can cause problems with PGP Universal Server and not allow the user to enroll because the software gets confused which user you are enrolling as and you will receive an authentication failure notification when trying to enroll.
When enrolling the PGP Desktop clients:
1. Launch PGP Tray from Start > All Programs > Startup > PGP Tray.
2. When prompted for authentication, instead of putting in the sAMAccountName value (e.g. Administrator) use the UPN (e.g. [email protected]). You can find the UPN using an LDAP browser such as Softerra LDAP browser or else using the ADSI Edit utility from Microsoft.
3. Enter the correct password for that user. This will allow you to enroll successfully.
Alternatively, to have users continue to use the sAMAccountName attribute when enrolling (e.g. TUser for Test User). They only need to supply this information in the username field (TUser) and the users password.
PGP Universal Server
PGP Desktop managed client
Microsoft Active Directory Forest with multiple domains