Unable to Enroll PGP Desktop Client when Directory Synchronization Enabled


Article ID: 157386


Updated On:


Symantec Products


Although most PGP Desktop users are able to successfully enroll, one PGP Desktop user fails to enroll.  Upon entering the user's Active Directory username and password, the PGP Enrollment Assistant continually prompts for the user's credentials.



This may be caused by the user is entering invalid Active Directory credentials.



Check the user's Active Directory credentials by using the ldapsearch command on PGP Universal Server:

ldapsearch -h winad.domain.dom -b DC=domain,DC=dom -D CN=bindname,CN=Users,DC=domain,DC=dom -W -x -LLL "(sAMAccountName=username)"

In the example above:

  • winad.domain.dom is the name of the server running Active Directory as specified in Consumers / Directory Synchronization / LDAP Servers on Universal Server.
  • DC=domain,DC=dom is the Base Distinguished Name as specified in Consumers / Directory Synchronization / Base Distinguished Names on Universal Server.
  • CN=bindname,CN=Users,DC=domain,DC=dom is the Bind DN as specified in Consumers / Directory Synchronization / LDAP Credentials / Bind DN on Universal Server.
  • username is the Active Directory user name of the user who cannot authenticate.

You will be prompted for the password of the Bind DN user account as specified in Consumers / Directory Synchronization / LDAP Credentials / Passphrase on PGP Universal Server.

If records are returned for the user, it proves that PGP Universal Server can communicate with the Active Directory server and retrieve the details of the user who is trying to enroll.

Applies To

PGP Universal Server managed environment with Directory Synchronization configured with Active Directory.