After entering their Active Directory username and password correctly, an Encryption Desktop user is unable to enroll. They are continually prompted for their username and password.

The Encryption Management Server Client log contains the error:

Duplicate key violates unique constraint "email_idx"

The user trying to enroll has one or more secondary email addresses associated with their Active Directory account.  One of these secondary email addresses may already be in use by a Consumer account in Encryption Management Server.

This can occur under the following circumstances:

1. A user who has a Consumer account in Encryption Management Server leaves the organization and their Active Directory account is disabled or deleted.
2. Their primary email address is deleted.  
3. Another Active Directory user is given the user's email address as a secondary address. 
4. The Consumer account of the user whose Active Directory account was disabled or deleted is not deleted from Encryption Management Server.

This issue can also occur if the Active Directory record for the user who is trying to enroll has a primary email address in the proxyAddresses field that does not match the mail field (the email address in proxyAddresses that is listed with SMTP in capital letters is the primary email address).

Example snippet of an Active Directory record that will not enroll

proxyAddresses: notes:Steven Lastname/Staff/[email protected]
proxyAddresses: smtp:[email protected]
proxyAddresses: SMTP:[email protected]
proxyAddresses: smtp:[email protected]
mail: [email protected]

Note that in this example the mail field does not match the proxyAddresses entry that has SMTP capitalized.

Example snippet of an Active Directory record that will enroll

proxyAddresses: notes:Steven Lastname/Staff/[email protected]
proxyAddresses: smtp:[email protected]
proxyAddresses: SMTP:[email protected]
proxyAddresses: smtp:[email protected]
mail: [email protected]

Note that in this example the mail field does match the proxyAddresses entry that has SMTP capitalized.

1. Check the Active Directory account of the user who is failing to enroll for secondary email addresses. Search Encryption Management Server for each secondary email address.  If users are found with the secondary addresses, check whether these user accounts are still required and if they are not, delete them from Encryption Management Server.
2. In Active Directory, check the properties of the user that is failing to enroll. Ensure that the user's primary email address and the address in the mail field are identical. Note that Encryption Management Server prior to release 3.4 does a case sensitive comparison of email addresses, so in releases prior to 3.4 the email address in these two fields must use the same case. The validate_enroll script attached to article TECH228315 can be used to check the attributes of an Active Directory user.